Talking Identity Banner

Google+ and The Trouble With Tribbles

Sep 1st, 2011
by Nishant Kaushik.
2 comments

pseudonymityIn a prior post I talked about the backlash against the “Real Names” policy that Google has instituted for it’s Google+ social network. The resulting nymwars are in full force, and drew me into a very interesting twitter back-and-forth between Kevin Marks, myself and Tim O’Reilly over the weekend, which Kaliya (or IdentityWoman, as she is really known) documented here. Today, it prompted Gartner’s Distinguished Analyst (and Prophet of Pull) Bob Blakley to fire a salvo at Google’s “insanity” in creating “an antisocial space in what is supposed to be a social network (that) is at odds with basic human social behavior”. It’s an excellent post in inimitable Bob style, but I did want to focus on one point where I may differ from Bob a bit.

In his post, Bob talks of Google trying to do social with an eye on the lucrative targeted advertising dollars that Facebook is currently hogging. This is the motive I alluded to at the end of my post as well. But things (appear to) have become a bit clearer here (albeit still speculation). During an interview with NPRs Andy Carvin, Google CEO Eric Schmidt didn’t throw out the usual pro RealName arguments about maintaining civil discourse online and such, but basically talked about Google’s ambition to be an identity service – a platform on which commerce and government services can run. And for such a platform to be widely adopted and billable, the data needs to have a certain fidelity – no different than the kind of identity stores we build within enterprises today.

Google already has such an identity platform – it’s called Google Profiles. If you’ve ever created a GMail account for any reason – as a GMail user, to enable an Android phone, for using Picasa – you have a Google Profile. The problem is that these service-derived profiles are of low value to the user, created only to get on to the desired service, and so they are never maintained and have low data quality. And like in a lot of enterprises that engage in identity administration and provisioning projects, Google has to deal with multiple identities per person that need to be linked and correlated. If doing that is hard in the enterprise space, imagine how hard that is do in the personal space where users not only have no reason to facilitate this, they actively engage in keeping some of these profiles separate and distinct. Just in writing this post I noticed that mine still reflects my Oracle position – unlike my LinkedIn, Twitter and Facebook profiles. The common thread through those three services that I kept up-to-date? They’re social, an extension of me into the online world.

That’s why Google+ is so important to Google’s aspirations for Google Profiles. Google wants to use social as the honeypot that draws in all those users and keeps them highly engaged and motivated to keep their data up-to-date. They see how well this is working for the Facebook identity platform and want to replicate that success. But here’s the disconnect – Facebook got to this spot organically. While Zuckerberg may be a visionary in many aspects, his first priority when building Facebook was to build a social network where people would hang out. As the social engagement increased the number and fidelity of identities in Facebook’s database grew as well, The team then pounced on the opportunity to build a platform out of this. In true engineering-driven style, Google is reverse engineering this – seeing where they want to get to and trying to replicate the same path, but instituting fixes that short circuit what took Facebook years to do. Except that there are no shortcuts.

The trouble with social is that it is social – with all the norms, behaviors and expectations that come with that. You cannot re-engineer that overnight (Facebook is being far more successful in doing so using far more insidious means). Facebook also has a policy of Real Names, but it realizes that to make the social work you have to cater to the psychology of the users. So there are no identity verification processes, no automatic suspension of accounts and schemes that entice us to provide real data instead of telling us to do so. The fidelity of the data is proven by it’s socially verified reputation, not because there is a policy document that can be pointed to (at the end of the day, a much more robust and legitimate mechanism).

Do you know what you get if you feed a tribble too much?

Do you know what you get if you feed a tribble too much?

Google may think that social is all cute and cuddly, but they may be about to find out that it’s a completely different beast that could clog up their systems. Meanwhile, the battle for our online self-determination will continue. IIW XIII should be a lot of fun.

Posted in: Personal Identity Management.
Tagged: · · · · · · · · · · ·

When Will We Stop Taping Up Our Windows?

Aug 29th, 2011
by Nishant Kaushik.
No comments yet

It was an interesting weekend, to say the least. I’ve never had to prepare for a hurricane before, so going through the exercise was a revelation in so many ways. You discover what you consider really “valuable” (like when I actually packed my external hard drive that has 10 years worth of digital images and home videos alongside our passports and insurance policies, despite it being backed up online). You also discover how much stuff you have just lying around to clean up.

Is This Your Security Solution?

Is This Your Security Solution?

And then there was the notice we got from our building management asking us to tape up our windows. It had very specific instructions on the  pattern in which to lay down the tape. And of course they had tape for sale in case we didn’t have our own. Looking around, we could see a number of other windows where tape had been put up. So, following instructions and the trend, I started the exercise. After one window, I stood back and questioned the wisdom of doing this. It really didn’t seem like this tape was going to do much against any force strong enough to shatter the double-paned glass we had. A quick check on the web turned up enough “myth-shattering” articles (especially from official sources) to make me and my wife realize that the exercise was pointless. It was patently obvious that the tape was not going to prevent the glass from shattering, or keep the shattered pieces from flying around the room.

Yet all around us, people were spending precious time putting up tape. Why? Because they felt like they were doing something – something that would keep them safe, something they could point to and say “well, at least I tried”.

The analogy with how security and risk management goes in IT is laughably obvious. It’s classic security theater – getting a false sense of security for having done something that is of no benefit whatsoever, but which (literally) helps you sleep better at night. The real issue here is not the waste of good tape, but the fact that doing something like this actually increases your risks. Believing you’ve actually reinforced the windows could lead you to make the mistake of actually sleeping close to a window and putting yourself in harms way. And feeling that this option exists keeps you from actually analyzing the situation properly and taking the steps you really should take, like putting up hurricane shutters or installing hurricane proof glass. Keep in mind that you need to assess your risk accurately instead of going overboard, because while installing hurricane shutters may be a tad too much in an area like ours where hurricanes are (gratefully) a rare occurrence, it really should be top of mind if you’re down in Florida.

It’s also important to understand the psychology underlying these wasted efforts. All too often, “tape jobs” are last minute efforts that stem from a lack of planning. If you analyze your threats proactively, you have time to properly measure your windows and install hurricane shutters. But if you push things out and end up reacting to the news that a hurricane is coming – well, then you’ve run out of time to do a good job, the store is probably out of shutters and even plywood, and there’s little you can do at that point except retreat. How many times have we come across organizations that are under the gun to evaluate software, deploy and get a recertification process done in a completely unmanageable timeline because they failed an audit?

So if you’ve been pushing out that risk assessment, get on it now. Or you might just end up standing in a long line at the neighbourhood hardware store buying a roll of tape that will do absolutely nothing for your reality.

[Cross-posted from the Identropy blog]

Posted in: Insight IdM.
Tagged: · · ·

What’s In A Name? A Lot, Actually

Aug 5th, 2011
by Nishant Kaushik.
No comments yet

The “Real Names” debate has been fascinating to watch, because it such an intriguing melange of issues – social conventions, technical requirements, best practices, community responsibility – rolled into what would on the surface seem to be a very simple problem. After all, what we’re really talking about is what value to let people put (self assert) into the name field that is used prominently in social sites.

pseudonymityThis debate is really about the concept of pseudonymity online – an argument that has been going on forever. While pseudonyms and their necessity have long been understood and accepted in the real world, for some reason the same logic is being discredited when the concept is extended to the online world.

As a parent, I know and understand the desire to create a safe haven online for my child. And as someone who does participate in online discussions on blogs and other social media, I am well aware of the problem of spammers and trolls. But these so-called “Real Name” policies have absolutely nothing to do with these issues, which are used as a false crutch to lend legitimacy to the argument. You just have to watch scenes from Capitol Hill, or the British Parliament, or this epic from the South Korean Parliament to see that knowing the commenter does absolutely nothing to tame uncivil discourse (as I hear shouts of “You Lie”!). And since no one is going to pay for any kind of identity proofing to actually validate the identities of these self-asserted “real names”, the promise of protection offered by such a policy is actually a blatant lie.

But what is even worse is that these policies create a discriminatory, exclusionary environment against those that need pseudonymity the most. Kee Hinckley wrote an amazing post that describes why allowing pseudonyms is a crucial part of society’s fabric, especially when brought online. What really gets me is the hypocrisy of social networks touting their role in social and political movements like the Iran and Egypt uprisings or support networks for LGBT youth, and then instituting policies that would remove the very protections that the people involved in those movements relied on. In the case of people organizing and posting during the middle east movements, pseudonymity was a key requirement enabling them to do their work without fear of reprisal on them or their families. And the fact that they were pseudonyms did not detract from us believing (trusting) them, as they built their reputation over time through their actions and voice online.

the-internet-in-china-great-firewall-cartoon(source)

The names we choose online are also key to establishing context for what we are doing, and even more important in keeping different contexts that we want to keep separate apart. While the ability to link disparate personae is getting easier every day based on complex data analysis on publicly available data becoming cheaper (I would point you to Bob Blakley‘s excellent “The Death of Authentication” talk if it ever makes it’s way online, but read commentary here), it is still not possible for the casual observer that we care about in a social sense (the one that would care if you are a gay rights activist who also happens to teach in their son’s school). These contexts also allow the building and establishment of reputations that would get diluted by all the extraneous noise that would come from combining them.

It is true that as commercial entities, Google and Facebook are well within their rights establish any sort of policy that they want, and that as consumers we are free to take our business elsewhere. But that argument misses a much larger reality. As much as we may want to deny it, Google and Facebook are an increasingly large part of the very fabric of our online existence, and exert huge sway over how the business of the internet is being shaped. When Randi Zuckerberg throws out ridiculous ideas that “anonymity must be eliminated online” (not just on Facebook, but everywhere on the internet), she’s not viewed as just another marketing executive, and it unfortunately has a great deal of influence. Eliminating pseudonyms on networks where “most of” the people are will exclude from these spaces the very people that need the social benefit of their network effects, as Danah Boyd (or should I say @zephoria) so passionately articulates. Being a social network comes with some social responsibility too, and as Paul Carr recently reminded us it would behoove all of us (in the tech industry) to remember that. Because “Real Names” isn’t about eliminating spam and increasing civility. It’s really about ensuring that the data we have online is as real as possible for the benefit of the advertisers who are paying for accurately profiled targets. And I’d argue that even that is a false premise.

Posted in: Personal Identity Management.
Tagged: · · · · · · · · ·

The Purpose Driven IAM Life

Aug 1st, 2011
by Nishant Kaushik.
2 comments

[Cross-posted from the Identropy blog, where I will be contributing some posts from now on]

Another Catalyst conference (now Gartner Catalyst) has come to an end with the former Burton Group analysts challenging us once more to do better as an industry. It’s an unfortunate reality that cost overruns, unrealized benefits and missed objectives still plague most customers of identity management solutions. While there are still things we need to do on the technology side of the equation (most notably, moving towards a pull-based identity architecture in our application and platform layers), there is much more we can do in a more immediate fashion on the business and deployment side of identity management. And since any new proposal must be accompanied by an appropriate buzzword, here’s the one I took away from Catalyst – fit-for-purpose (putting $1 in the Bob Blakley piggybank).

For a while now, it’s been fashionable to bash provisioning. But to me, this was always misguided anger. Yes, it’s true that many provisioning projects suffer from missed deadlines and budget woes. But that was never because of the technology, which did exactly what it was supposed to (though there is still much we can do to improve it’s maturity and stability). It was always because of the way it was sold, deployed and mismanaged. How often did we hear massive provisioning projects being drafted to achieve regulatory compliance, only to find out that it wasn’t a sufficient control? How many connector development projects were defined to automate provisioning to many 100s of targets, without any ROI calculations ever being done to determine it’s value to the business (though it’s value to the implementing SI was all too obvious)?

Look Familiar

Look Familiar

The angst has gone so far as to create a whole new market – Identity & Access Governance (IAG) – and marketing terms like “next generation provisioning”. But there is nothing revolutionary (or even evolutionary) about the model of automating provisioning to your most sensitive and/or high volume targets, while only setting up approval workflows and manual provisioning for the rest. You could do this with Thor’s Xellerate provisioning product (now Oracle Identity Manager) back in 2003, when we created full fledged functionality for manual provisioning that included email notifications and a provisioning task list (with detailed data and instructions) for your IT admins. Through all the noise and FUD, what is actually coming to the fore is the deeper and more relevant concept of understanding exactly what your use cases are for your IAM deployment, and focusing the features, design and deployment on meeting those use cases.

The most successful IAM projects have always done exactly this, with plans that classified their applications into tiers corresponding to the controls they wanted to put in place, creating role management projects that emphasized defining only the higher value business roles instead of trying to blanket everyone in the enterprise, and finding the right blend of automated controls, manual decision-making and oversight mechanisms. The defining characteristic in these projects was always an attitude of rational, measured response to the risk involved – in other words, an emphasis on making sure that any solution rolled out was fit-for-purpose.

This is the philosophical approach to IAM that attracted me to Identropy, where it exists both in the advisory and implementation aspect of our business, and in our approach to designing SCUID Lifecycle. Lifecycle is not meant to be all things to all people. It’s meant to be exactly what is needed for the majority of customers out there. We’ve used our years (decades?) of expertise in this space to come up with just that measured set of features and use cases, and will continue to refine them in conjunction with our customers. That is the part that excites me most about this new journey I’ve started. And I’m glad that Lori, Bob and the rest of the Catalyst gang validated our core belief for us.

These Guys Are Here To Help

These Guys Are Here To Help

Posted in: Insight IdM.
Tagged: · · · ·

And Now For Something Completely Different

Jul 24th, 2011
by Nishant Kaushik.
No comments yet

At the Cloud Identity Summit last week, one thing was patently obvious – the agenda was filled with super interesting talks from very talented speakers. So given that I was talking about the riveting (not!) topic of user provisioning, I knew I had to pique peoples curiosity to draw them in. To that end, I enlisted the help (so to speak) of those most curious of entertainers, the incomparable Monty Python, in a talk entitled “And Now For Something Completely Different – Identity Provisioning and the Cloud“. You can check out the slides and recording below.

The central idea of the presentation was that the cloud has caused the seemingly well-understood, albeit reviled, discipline of user provisioning to splinter (SPLITTER!) into 3 different factions – the Traditionalists, the Progressives and the New Age Thinkers. You’ll have to listen to my talk to understand it in more detail, but the reviews of my talk on Twitter seemed to be “certified fresh“. While Ian Glazer pondered:

This JIT + Pull model that @NishantK proposes in a new age wrapper on a traditional core – externalized authZ fixes some problems #cis2011

I did have Paul Madsen raving:

I declare @nishantk Python theme for #cis2011 prez a success. And am reconciled to seeing it over and over for next 3 years

All in all, I think I accomplished my goal of edutaining the folks at CIS on the continued existence of user provisioning, and its future prospects. Because the account CRUD problem will continue to be a weight around the neck of enterprise cloud adoption unless we put in place the right solutions.

Posted in: Insight IdM.
Tagged: · · · · · · · ·

From The End Spring New Beginnings

Jul 18th, 2011
by Nishant Kaushik.
3 comments

As I posted on Friday, I decided it was time to close the chapter on my career at Thoracle (by the way, the positive wishes in response from all of you has been quite gratifying). But it wasn’t without knowing what the next chapter was going to bring. It’s going to be a busy July in Identity, as I talked about earlier, and I wasn’t about to show up at Cloud Identity Summit and then Catalyst as a free agent (though it would have been interesting to see what would have happened).

I’m not a Lebron James, so I can’t really drag this out for an unnecessary 5 paragraphs (though I do feel like I am joining an All-Star team). So here it is. Starting today, I am going to take my talents (be what they may) to Moonachie NJ and join Identropy.

identropy_logoFor a while now I’ve been wanting to get back into startup mode, to really tackle the identity management problem the way I want to. These are interesting times we are living in, as they say, and there is a real opportunity to turn this space on its head. And I’m going to get that chance now, as Chief Architect in a company that has all the necessary elements in place – a crackerjack team, innovative thinking and an unwavering focus on the needs of the customer. They’ve already had one incredible and unique solution – SCUID Operations – come out of that approach, and I’m excited to see what I can bring to the party.

Like I said in my farewell post, the number one thing for me is the team, and Identropy is an incredibly talented and passionate group of individuals working towards one vision. I’ve worked with some of these guys in the past (and didn’t hold it against them when making the decision to join), and have interacted with others over the years in this little community of ours. I’ve always had a deep respect for their expertise and commitment, and love that they’re the kind of people you want to go out and have a beer with at the end of a hard day. The relationships they have built with their customers are enviable by all standards. And they have an open, collaborative culture that should be fun to work in.

My first contribution to Identropy - A Gapingvoid print that captures why I joined
My first contribution to Identropy – A Gapingvoid print that captures why I joined

I am really looking forward to what we can accomplish together. It should be one hell of a ride. Of course, all my other nonsense – Twitter, this blog, the conference circuit rounds – will continue as before without interruption. I’ve only just scratched the surface of what I’ll be working on, and will definitely be sharing more in the coming weeks. But if you want an in-person take, grab me in Keystone or in San Diego. Be warned though – you may have to be the one buying the round (I am back in startup mode, after all). See you there.

Posted in: Identity Services, Insight IdM.
Tagged: · · · · · · ·

As They Say, All Good Things Must Come To An End

Jul 15th, 2011
by Nishant Kaushik.
4 comments

Today is my last day at Oracle, ending an era of my life that began over 10 years ago at Thor Technologies. Back then, I had no idea about the scope of the journey I was embarking on. I had no idea I was entering a space that was going to become so hot and scrutinized, alternating between being loved and hated (with a passion). They didn’t even call it “identity management” back then.

View from my cube at Thor WTC

No, back then I was just a wide-eyed youngster (with a lot more hair) that stepped into an office on the 87th floor of the World Trade Center, met an energetic team roaring to go, saw an amazing view from an empty (and available) cubicle and decided that he wanted to work there, because it would be cool. And it was cool, but not for the reasons I imagined.

It has been a wild, roller coaster ride. The stars in my eyes at working in the WTC were replaced by the bags under my eyes as we tried to salvage our future out of the rubble of 9/11. Weeks spent decompiling demo systems trying to recover lost code (no one ever questioned off-site backups again) gave way to a relentless cycle of code, build, demo. I’ll never forget one hellish 80 hour stretch that involved no sleep, non-stop coding even as I crossed the Atlantic on a flight to Heathrow, going straight from the airport to an office and giving the demo of a lifetime. Getting customers was never easy, but it did get easier (though never more fruitful) than the months negotiating requirements leading up to our first customer win (RIP, Lehman Brothers). Temporary office space on Park Avenue gave way to the most amazing office in the Meatpacking District, well before it was cool to be there. Long, drawn out and painful POCs transformed into great relationships with customers that would explode into a frenzy every year at TAC. It was an unforgettable experience that helped define me and my career.

The Thor Crew At The Farewell Party

And then came the acquisition by Oracle. A new journey started, one which took us from underdog in the space to the undisputed King Kong  of identity management. The problems got richer and more complex. The discussions got more intriguing and part of a larger tapestry. The community got bigger and more raucous. And the bar tabs got progressively more impressive.

Almost on the mound at AT&T Park

None of this would have been possible without a good band of merry men and women, and I certainly had that. These are the folks that taught me about true professionalism and dedication. They showed me just how much can be accomplished, and how much fun it can be, when done with camaraderie, enthusiasm and good humor. From them I learnt that what matters most is the team you work with, a mantra that I have taken to heart and hope to replicate any place I go.

It’s been a great journey. I worked very hard, played even harder, and enjoyed every moment of it. Along the way I felt like I was able to contribute to some great accomplishments.  I learnt a lot – about technology, about teamwork, and about myself. And I met and worked with some inspiring people. All of which I am eternally grateful for.

As for what I am doing next? Well, that’s for another blog post…

Posted in: Insight IdM.
Tagged: · ·

Time To Put Your Thinking Caps On

Jul 12th, 2011
by Nishant Kaushik.
No comments yet

Mike Neuenschwander has dubbed July as Identity Conference Month. And he should know, given that so many of his signature moments were on stage at the Catalyst conference that will be returning at the end of this month (July 26-29 in San Diego). Catalyst is always the most thought-provoking identity event of the year, but there is added intrigue this year, as a lot of us recurring *characters* are wondering what impact the Gartner takeover of the event (last years was still run by the Burton folk) will have on its ethos. I’ll be dropping in as always to learn, converse, incite and, of course, party.

The week before that, the Cloud Identity Summit (July 18-21) will once again be warming us up for Catalyst by hosting an impressive gathering of subject matter experts and thought leaders talking about the intertwined worlds of identity and the cloud. And this year, I’ll be there too, giving a talk on the future of identity provisioning (July 20 at 12:00pm). Following up on the talks I gave last year at Gluecon and at Catalyst, I’ll be bringing my cred as a provisioning expert to bear in examining if identity provisioning even has a future in the pull-based future of identity (spoiler alert: it does), and what it might look like, given recent developments in the space and advancements in cloud architectures. In an unfortunate scheduling mishap, I will be going up against Pamela Dingle’s session on identity and mobility, which I would have loved to sit in on myself. I’m sure she’ll be peppering her session with cuteness in the form of cats or cuddly toys, so I’m going to have to up the game and incorporate something bad-ass into my session, like Transformers or Angry Birds (Iron Man was so last year). Pam, you’re going down :)

Two weeks. Two great conferences. And me at both. So be there or be square!

Posted in: Insight IdM.
Tagged: · · · · · · · ·

FFIEC Updates Their Guidance. And The Winner Is…

Jun 29th, 2011
by Nishant Kaushik.
1 comment

In my last post, I mentioned that the FFIEC was preparing an update to their 2005 guidance on internet banking authentication. Well, that update is out, and Anil John couldn’t wait to let me know about it (:)). The update, entitled ‘Supplement to Authentication in an Internet Banking Environment‘ recognizes both the growth in online banking and the dramatic change in the nature of internet threats it faces. The supplement stresses three key areas:

  1. the need for financial institutions to perform risk assessments against an ever-evolving threat landscape,
  2. the need to implement and constantly adjust a layered security strategy to mitigate the identified risks, and
  3. the requirement to raise customer awareness of potential risks through education programs.

The most telling aspect of the enhanced guidance seems to be its recognition of the fact that the threat landscape is not just different from what existed in 2005, but constantly evolving. Without actually stating this explicitly, the guidance attempts to make the point that this constant evolution means that any guidance put forth will become defunct pretty quickly, and places responsibility on financial institutions to make the effort in understanding the risks they face (through periodic risk assessments) and continuously improving their security posture in response. Personally, I would have liked to have seen them be much more explicit and take a much harder line on this, because multiple case studies and anecdotal evidence suggests that far too many banks put in the minimal effort necessary to simply comply with the letter of the 2005 guidance without attempting to be true to its intent.

An Emphasis on Risk-Based Authentication

The guidance brings out the need for financial institutions to create a more accurate and granular model of their risks based on a much wider variety of factors than risk-O-meterpreviously described – the evolving threat landscape, the changes in the nature of their customer base and the kinds of transactions being done online. A more accurate calculation of the transactions risk must then be mapped to appropriate security controls, both at the time of the initial authentication (logon) and at the time of the transaction itself. The supplement (smartly) brings out the need to factor in contextual information – from environment variables like device identification and time of day to detection of anomalies in behavior patterns – in any risk calculation. Interestingly, both anomaly detection and privileged account management are emphasized in the security architecture.

Calling Out Outdated Techniques

Both device identification (through cookies) and challenge questions are called out as having to be enhanced from their previous “simple” models to more sophisticated, or “complex” models. While the enhancements recommended in both cases are improvements, I don’t believe they go far enough. In the case of challenge questions, for instance, it recommends

  1. increasing the number of challenge questions asked (without actually giving a number, so in theory just increasing from 1 to 2 is good enough),
  2. avoiding challenge questions that can be answered by mining the users information through online searches and social networks,
  3. including a “red herring” question that a fraudster would attempt to answer but a legitimate user would not (huh?), and
  4. using only a random subset of the challenge questions that the user has provided answers for in a single session.

This guidance fails to take into account that this is actually hard to implement without neutering its effectiveness. Forcing users to set up more challenge questions usually leads to selection of easily guessable answers, and more helpdesk calls. The 2nd item above is very subjective, and the harder you make the questions, the more likely the legitimate user will mess them up too. And I don’t even know how the 3rd item is supposed to work.

Also of note, the guidance does point out the decreased effectiveness of multi-factor authentication (even though it was probably drafted before the RSA breach compromised SecurID tokens). It does however advocate it’s use as one of the many controls in a layered model. Out-of-band authentication mechanisms (like those delivering One Time Passwords over SMS) get a fair amount of time in this paper as a practical solution.

Whats Missing

I was disappointed that the guidance didn’t talk more clearly about passwords, and the need to really educate consumers about both better policies and their inherent ineffectiveness. And I think the fact that there was not a single mention of federated identity, especially in the context of “Business/Commercial Banking”, was a real missed opportunity for the FFIEC to move the discussion towards a better security architecture. I’m sure Stephen Wilson is not surprised by that, though.

Looking Forward

The guidance will go into effect starting January 2012, so there will probably be some banks scrambling to understand what the implications are for the controls they have already deployed. Smarter institutions that have been paying attention to the security landscape all along will probably find that they are in good shape, but a lot who did the bare minimum and want to meet these guidelines will face some serious work. I predict an uptick in the interest that risk-based security products like Oracle Adaptive Access Manager will garner in the market. The emphasis on staying up to date with the ever evolving threat landscape will create a requirement for more dynamic security products that aid not just in enforcing stronger controls, but in assisting with the periodic risk assessments (Identity Intelligence, anyone?).

But the fact that this is guidance and not regulatory mandates means that a lot of institutions will continue to pay lip service to it. Which is why the real emphasis needs to be on changing the fundamental security architecture underlying (and infiltrating) enterprise IT. The consumerization of IT will probably play a far bigger role in driving this change than the FFIEC guidance will. Time will tell.

Posted in: Insight IdM.
Tagged: · · · · · · · ·

So What Does Constitute “Reasonable” Security?

Jun 23rd, 2011
by Nishant Kaushik.
No comments yet

A couple of weeks ago, I tweeted about what I called a must-read article by Brian Krebs. Fellow identirati Anil John lamented yesterday that we halegal_opiniondn’t discussed this more in the community, and on second glance I can see why. The article covers a court case where the magistrate was basically asked to decide what constitutes “commercially reasonable” security. While most of our collective ire seems to have focused on the seemign unfairness of the ruling, and the implication that “passwords + challenge questions = multi-factor authentication” (as prescribed by the FFIEC guidelines), there is much more to learn from the story.

As the article described, part of the banks security infrastructure included risk-based security based on RSA’s Cyota product, which “rates the riskiness of transactions by using several factors, such as the location of a user’s Internet address, when and how often the user logs in, and how the customer navigates the site”. This actually provides a much better layer of protection than simply authenticating the user based on passwords. Context-based security is a key element in the multi-layered security architecture that is the future of enterprise security, as I laid out in my recent talk.

But the bank actually made a big mistake in it’s implementation. As the article describes, the bank reduced the threshold for kicking in the 2nd factor (challenge questions) to $1, effectively eliminating that component from their security architecture. They might as well have not had it, because they were completely ignoring any kind of risk calculation that was being done.

In other words, all they had was “password+challenge questions”!

And as we have talked about ad nauseam, in this day and age this is simply not enough. Passwords and challenge questions are nowhere near what I would call adequate security for an environment that would include high risk transactions (like bank transfers). And while there will be great resistance to any (strong authentication) solution that would appear to increase friction for the user in executing their transactions (witness the continued lack of pins for credit cards in the US), I think the tides are changing with respect to users understanding the risks and wanting more from their online security.

Risk based security models also need to involve monitoring and alerts, even denial of access, for exception conditions (like a new device ID being used). And the 2nd (or 3rd, or…) factors employed must be commensurate with the nature of the online transactions. Challenge questions may be fine when we’re talking about a low risk consumer site like a gaming site (though even they have gone beyond these). Higher risk sites should employ more sophisticated factors like out of band challenges (the occasional SMS based challenge, or voice-based identification, for instance), so long as it is used with the correct risk scoring to trigger it. And despite the naysayers, I do believe externalized identity providers could help serve this market.

Crucially to all this, the FFIEC seems to recognize that security threats have evolved dramatically since their guidance was issued in 2005, and are preparing an update. From all indications, it would seem to put much more responsibility on the shoulders of financial institutions, asking them to put in place greater measures based on layered security to address fraud and attack vectors like Man-in-the-X attacks, and much more. Unfortunately, it will be too late to help Patco Construction. Let’s just hope other businesses are paying attention and getting ahead of the curve.

Posted in: Insight IdM.
Tagged: · · · · · ·

← Earlier Posts
Newer Posts →
Follow me on Twitter Connect on LinkedIn Favorite this blog on Technorati Profile of Nishant Kaushik, architect of Identity Management