The session had a nice flow to it, starting with a vendor presentation (Oracle, of course), followed by an analyst presentation (Bob Blakley and Lori Rowland from the Burton Group) and concluding with a customer presentation (our old friend Ramin Safai from Barclays Capital). Getting to discuss identity management from all points of view was quite a valuable exercise, and I gleaned lots of useful nuggets.

Security Inside Out

Amit Jasuja (who heads up the Identity Management team at Oracle) kicked off the day by talking about “Security Inside Out“, Oracle’s new message on putting together a complete security practice by bringing together Database Security, Identity Management and Information Rights Management. Weaving all of these elements together allows an enterprise to get a complete handle on the nature of their security risk across all tiers – database, middleware and application – and in all contexts – data at rest or in motion, internal users vs. external users, and so on. This led to a lot of discussion on moving towards risk-based identity management, which can be more adaptive to an enterprise’s needs and allow identity management to be a business enabler, not a hindrance.

One of the concepts I particularly liked was using identity management to enable “Break The Glass” scenarios that allow for contextual security decisions. In such a scenario, a user who ordinarily does not have access is allowed to get access but with added controls (like heightened audit, approval and attestation) to address the unique, emergency-like situation that presents itself. Being able to adapt to sensitive contextual situations without sacrificing on security and compliance is a powerful message that resonates in the enterprise world. Another topic that proved fertile for conversation was for risk-based IdM to leverage One-Time Passwords delivered via SMS or over land-line phones in order to implement higher levels of identity assurance (LOA). As two-factor authentication goes, enterprises increasingly view this as an attractive way to increase levels of assurance without having to invest in tokens and biometrics.

Complete Security

The Burton Group team talked about the state of identity management in the market today, especially emerging trends and hot-button topics. Lori validated my observation that cloud computing is going to have a huge impact on the future of identity management, and gave a nice shout out to my OpenWorld session on the topic. One of the interesting takeaways from their talk was this point that Bob made about achieving complete security: An enterprise needs to have preventive controls that allow business to be conducted as usual but flush the bad guys into the open, where detective controls can identify them and their activities, which would then allow responsive controls (aka the cops) to take action.

Down In The Trenches

Ramin then gave a customers perspective on implementing identity management – from “down in the trenches”, as he called it. There were a lot of good lessons in his talk – about scoping the project correctly and dividing it into small, achievable mini projects that demonstrate ROI, about the processes and architecture they put in place to ensure success of the project, and some of the achievements they had with their IdM implementation, especially when Barclays acquired Lehman Brothers. One of the major points made in the room during discussion was that security within the enterprise needs to be driven top down by an “Executive Governance Board” in order to achieve  consistency and completeness. It cannot be done piecemeal at the IT level.

I love taking part in sessions like these, as it is great to be able to hear so many different perspectives. And thanks to Greg Belanger from the Apollo Group for giving me a shout out during the analyst discussion on Oracle’s differentiators in the identity management area. The point he was making about Oracle demonstrating vision in IdM is an important one that we are very serious about here, and I am glad to be a small part of that.

Tags: Identity Assurance, Identity Controls, OOW09, Oracle OpenWorld, Risk Management

The F.B.I. said that the younger Mr. Kernell allegedly hacked into the account in mid-September by resetting Gov. Palin’s password.

I obviously don’t know the specifics of how the F.B.I. says the password was reset. But for the sake of our discussion, let’s assume that the email system relied on a typical challenge response mechanism (currently the norm in most free email systems). The hacker obviously didn’t know the password, but was able to reset the password to something of his/her choosing by successfully answering the challenge questions. In the age of Google, how hard is it to find out the the first school, the first car, the mother’s maiden name or the pets name of a famous public personality like Sarah Palin?

As Bob Blakely likes to point out, there are no secrets any more therefore any system that relies on secrets is inherently flawed.

In a completely separate conversation, a colleague of mine sent me the following thought:

All the banks and merchants I do business with online have been increasing their level of security, especially with password complexity requirements.  Historically I have limited all my passwords down to 3 based on the type of site so I had no need to write them down.  Now because of all the different password complexity requirements, especially the password history requirement, I can no longer do that…. so I’m now forced to write them down

In some sick way, more security by merchants is now leading to worse security for me, the user.  I’m forced back to the sticky note.

From the Good News/Bad News Department

The bad news in all this is that we seem to be going through a phase where additional mechanisms introduced to secure the systems in a user-friendly manner have actually exacerbated the problem because they rely on flawed assumptions. The above issues are clear illustrations of this. The mechanisms deployed (challenge response, password complexity requirements) would have been fine on their own for the system they are meant to protect. But these solutions did not anticipate how they would be impacted by the reality of their users online environment. The aggregation of multiple such systems for a user actually ends up degrading the effectiveness of these solutions, to the point where they end up becoming liabilities instead.

The good news is that new technologies and solutions are emerging that (hopefully) will address these problems. OpenID and Information Cards aim to rid us of the multiple password problem by promising a world of reduced sign-on built on trust. Identity assurance technologies (like the ones in Oracle’s Identity Assurance Partner Alliance) provide safer, more reliable means to verify the interacting parties identity than traditional challenge response mechanisms, thus preventing the kind of attacks described above.

So better days are coming. The real challenge ahead of us is getting all involved parties (consumers, online enterprises, vendors) educated on how these solutions can be used to make our online lives more secure.

Tags: Identity Assurance, Password Management, User-Centric Identity

So what exactly is Identity Assurance? Simplistically, Identity Assurance is the ability to determine, with some level of certainty, that the person (identity) presenting themselves in an identity transaction is who they are claiming to be. The level of certainty one can have about the presented identity is what is referred to as the “Assurance Level”. Identity Proofing is another term that is used in this context (and that I have used in the past), though it is more commonly associated with the verification of ones real world identity during the registration process.

So what are these two initiatives, and how are they related?

Identity Assurance Framework – Think TRUSTe for IdPs

The IAF is coming at the Identity Assurance discussion purely from the authentication angle, especially within federation contexts. It is based, in part, on the Electronic Authentication Partnership Trust Framework and the US E-Authentication Federation Credential Assessment Framework, initiatives designed for the sole purpose of enabling interoperability among electronic authentication systems. As such, it attempts to define a trust framework around the quality of claims issued by an IdP based on language, business rules, assessment criteria and certifications.

The IAF has published a standard set of assurance levels regarding the authentication of the user (Level 1 means low assurance, Level 2 means medium assurance, and so on. As of today, there are only 4 levels of assurance, Level 4 being the highest level). When a digital token is issued, it states the level of assurance at which the user was authenticated – Level 1 through Level 4.

The IAF defines a certification process through which an independent auditor assesses whether the issuers interpretation of Level 1-4 meets a standard assessment criteria established by IAF. So one issuer may have used a RSA SecureID token in combination with Username-Password to issue a Level 2 token, while a second issuer may have used a biometric challenge in addition to a UserID-PIN to issue a Level 2 token. The RP receiving the token from both issuers simply knows that both tokens are Level 2, and doesn’t know/need to know what the actual mechanics were, simply that an audit process certified that the mechanism for generating the token meets the criteria laid out by Liberty IAF.

The IAF is NOT defining any technology or standard protocols. In this sense, the IAF is trying to set up something analogous to the way TRUSTe verifies and asserts through their web seal that an eCommerce site is trustworthy.

Oracle Identity Assurance Partner Alliance – Tools of the Assurance Trade

Oracle IAPA aims at extending Oracle’s Identity Management Suite with partner technologies that offer capabilities such as identity proofing, internet geolocation, multi-factor authentication, out-of-band authentication, endpoint security and secure remote access. As such, its charter is pretty broad in combating identity fraud and providing context-aware security, and this encompasses identity assurance.

The solutions in the IAPA can provide the underlying mechanism by which an IdP can support the main tenet in the IAF, wherein an assertion can be trusted (at varying levels of assurance) to really belong to the entity represented. The IAPA steps in as a way for Oracle IAM to leverage technologies that enhance an authentication process with additional “challenges” that up-level the authentication assurance to the appropriate level – whether it be by using a biometric challenge, a voice challenge, a knowledge challenge based on external data aggregators, etc. So Oracle IAM + IAPA is positioned nicely to be the execution/implementation arm of an IdPs IAF compliance efforts.

Looking To Tie Them Together

One thing I will be exploring is the possibility of having the IAPA stack go through the Liberty IAF audit process. Then any customer deploying Oracle Access Management in conjunction with one of our partners would immediately know the IAF assurance levels of the authentication tokens being issued. Conversely, a customer that is targeting being able to issue credentials of certain assurance levels will be able to identify the solutions that will meet their need.

Tags: Digital ID World, Identity Assurance, Identity Assurance Framework, Identity Assurance Partner Alliance, Oracle OpenWorld