Establish Your Fundamental Security Posture

Part of the allure of cloud-based services is the whole access from anywhere aspect of it -  at work, on the road, in a coffee shop, in a public park, in your hotel room. As public, often free, wifi becomes something we (especially road warriors) start to rely on more, make a checklist of things you do in order to secure your interaction with cloud services, which should include (but isn’t restricted to):

1. Make sure you secure your communication with cloud services by using HTTPS instead of HTTP. I highly recommend installing the ‘HTTPS Everywhere’ plugin that the EFF have released
2. Use a Virtual Private Network. It lets you route all your activity through a separate secure, private network, thus giving you the security of a private network even though you’re on a public one. A lot of people can get it through work, but if your job doesn’t come with one then get your own, like CyberGhost VPN or WiTopia (Check out this Lifehacker article)
3. And watch out for shoulder surfers

Don’t Reuse Your Passwords

It’s an all too common phenomenon: when setting up an account with a cloud service, users are forced to come up with yet another password, and they choose a familiar, well used one. Especially when signing up for services for work, people will often use the same password they use to access services internal to the enterprise (like their email system, or their corporate CRM system). Reusing those passwords definitely helps you remember it for next time, but it’s the equivalent of leaving your house keys in the mailbox – someone else will eventually see it and figure out how to use it.

Better Still, Use A Password Manager

As our usage of the cloud increases and we battle password fatigue, that last point becomes increasingly harder for us. But there are tools like LastPass and 1Password that can help us greatly, not only by remembering the passwords for us (in the cloud, of course) and providing simple plugins to autofill those pesky login forms, but by also generating random string passwords that are stronger than your average password. Just remember to follow all their recommendations: create a really strong and unique Master Password, configure the settings to recognize trusted locations (like your home network), make sure to read their ToS and security policies, and use common sense in trusting what is still a cloud service.

Bring Your Own Identity

But those last two points still rely on having multiple passwords, which is recognized widely as an insufficient approach to security. Federation technology has matured to the point where we can now rely on federated login to cloud services. Most enterprise service providers will support federation with your corporate identity, eliminating the need for passwords to log into these services. And on the consumer side it is becomingly increasingly easy to sign into your services like Tripit or Flickr using your Gmail, Facebook or Twitter identity, using mechanisms like OpenID and OAuth that do not share your password with the relying site. The goal is not to go down to one password for one account that is your key to your online life, but rather have a manageable number of identity providers that you then use to access your various services. And use common sense to evaluate the sensitivity of a particular service before setting up a relationship between it and an external site.

Review Those Service-to-Service Relationships

The concept of a periodic review of user access is a cornerstone in enterprise governance programs. Why should our personal life be any different? As you rely increasingly on the federated model, set up time to periodically go into your services and review which Mobile Apps and 3rd Party Services you have granted access to. Did you grant some twitter ranking site access to your twitter account months ago, but have never gone back and used it? Reviewing the access grants will remind you to sever that relationship, removing any possibility of abuse or exploit.

Are there any other steps you take that help keep you safe? Practical suggestions only please, unlike this (hint: see second last bullet).

[Cross-posted from the Identropy blog]

Tags: Cloud Security, Password Management, Passwords Must Die, Personal Identity Management

TechCrunch blogged about Michael Arrington’s twitter account getting verified without appearing to be verified (no one contacted him). This Mashable post may explain how this happened:

…Twitter will look to see if an official channel of the person in question links to his or her Twitter account from a place like an official website.

This is a good model for verifying a channel -  to look at a known official channel to see if it (officially) links to the channel being verified. However, it doesn’t scale beyond the celebrity use case, because the vast majority of users (like me) do not have anything that Twitter will recognize as an official channel. And Twitter will never have the manpower necessary to run an in-person verification program. But is there a clue buried in how Twitter is approaching this to how we could potentially do this at scale?

An emerging discussion in the identity space has been the topic of reputation as the basis of trust (which is what verified accounts are ultimately about). In the Twitter model, the reputation of the account is enhanced 100% because of it being cited on a well-known, officially recognized website. I recently read a Wired article about a new system for ranking/rating scientists based on number of citations as opposed to publications. Twitter has multiple (similar) variables that could potentially be used to calculate the reputation of a twitter account – number of followers, number of retweets, number/nature/participants of conversations (replies).

If these could be used to calculate the reputation of a twitter account, then you could get to the point where you could calculate the trustworthiness of an account. And then the whole “log in with your twitter account” feature that for now is only getting used in blog commenting systems could take on a much more significant role in the identity metasystem.

Tags: Identity Proofing, Personal Identity Management, Reputation Management, Twitter, Twitter Verified Accounts

Twitter Search will also get a “reputation” ranking system soon, Jayaram told me. When you do a search on a “trending” topic–a topic that is so big it gets its own link in the Twitter.com sidebar–Twitter will take into account the reputation of the person who wrote each tweet and rank the search results in part based on that.

The article does mention that the engineering team at Twitter is still trying to figure out how to do this. But no more than a day later, Stan Schroeder of Mashable pointed out one of the key aspects to making reputation work – it has to be context-sensitive with respect to the identity of the source and their authority on the subject.

Thinking about it, it seems that this reputation ranking system is far more complex than a simple combination of factors such as followers and retweets. The system needs to be contextual; it needs to recognize which tweeple are important for a certain keyword or phrase. For example, tweets from the White House, Barack Obama and politicians aren’t that useful in the context of a Gmail outage, but they’re crucial during some political event.

In other words, the reputation engine (if it is to be done right) can’t just look at the number of followers, the number of retweets and hashtags. It also can’t rely purely on the 140 character biography that all the tweeples have posted on their twitter profiles. No, to really do this thing justice, Twitter (or some other company that could step in) would need to navigate the semantic, social and identity web in a way that builds up an accurate picture of a persons authority regarding a particular subject. And it is not just based on what we put out there, but even more so on what others put out there in response.

If this feels like somebody is about to start building a credit score of our online lives, it isn’t too far off the mark. The implications in the area of personal identity management and privacy could be huge!

This highlights a change we are seeing in the personal identity space. Since there are no secrets any more (as Bob Blakley is wont to remind us every now and then), relationships and reputation are likely to become the primary variables in the identity equation. The question therefore is, what tools do we need to manage and control our online identity in light of this new perspective on identity? Is it simply about having an OpenID and clean living? What tools do the social networks like Facebook and LinkedIn need to incorporate that give us control over not just what we put out there, but what others put out there about us? It’s a tough nut to crack, and should make for some interesting discussions at IIW next week. Maybe I’ll throw it up there on the board as a topic.

Tags: Personal Identity Management, Relationship Management, Reputation Management, Twitter, Twitter Search, User-Centric Identity

Dave postulates that the solution is based in the idea of Digital Personas. If I am reading his thesis correctly, he basically says that a person (an entity) can keep his online transactions un-linkable by using different personas (as represented by different information cards) that are kept separate and distinct at the source (namely the user and his IdP). In this way, common identifiers are avoided (not sure about that, since the most common identifier – an email address – is likely the same across most, if not all, of your personas), and so correlation reports cannot be built that harvest and mine data.

While Dave is clearly working with the constraint of what is possible today (both on a technological and legal footing), I think this solution puts too much of a burden on the end-user, since this requires the user to maintain multiple personas across the various applications he interacts with. In other words, even if the persona I want to present (PII attributes, credit cards, etc) to two different applications is exactly the same, I would need to create two different personas (in effect duplicates) if I want to make sure that there is no linkability. One can see the potential for persona explosion.

This is like saying that a user (who is extremely paranoid and wants no one building a consumer profile by looking at his purchase history) should maintain a different credit card (in effect tens or a few hundred) for every merchant he interacts with. That is comletely impractical. But just like there is no recourse today for consumers in this arena (the SSN, home address information, etc that every credit card record has enables complete linking, and results in the massive databases that telemarketers thrive and live on), it seems that there are no legal and technological solutions enabling the consumer to use the same persona while guaranteeing non-linkability. It’s an interesting problem that I think needs to be addressed by the identity community, because if it isn’t, linking of our online identities will happen (whether we want it or not), because the burden of maintaining multiple personas is just too much work, and user habits will prevail (just like it does in the matter of username-passwords).

Tags: Digital Persona, Enterprise Identity, Information Cards, Personal Identity Management, User-Centric Identity

Information Cards try to mirror the familiar, real-world experience of presenting cards to prove identity and provide information in the online world, and aims to do so in a safe, secure manner that is resistant to phishing, pharming and MITM attacks. Despite having been put into the wild a few years ago, and despite the tireless efforts of people like Kim Cameron and Pam Dingle to make it accessible, there are scant few web sites (of any note, anyway) that actually allow people to use information cards. The ICF (much like the OpenID foundation, which also kicked into high gear a few months ago) is looking to put some weight behind the effort to evangelize the technology and expand its adoption in the marketplace. As it states on the ICF Web site, the foundations purpose is to

Advance the use of the Information Card metaphor as a key component of an open, interoperable, royalty-free, user-centric identity layer spanning both the enterprise and the Internet.

It will be very interesting to see how the ICF goes about doing this, and when results will start to show. But this is undoubtedly the beginning of something big. For all of us.

Links:

• Press Release announcing the ICF
• New York Times article
• SC Magazine coverage

Tags: Burton Catalyst Conference, BurtonGroupCatalyst08, Information Card Foundation, Information Cards, OpenID, Personal Identity Management, User-Centric Identity

But I couldn’t keep myself from commenting on the most recent wave of acquisitions in the identity space. Both have some interesting consequences for the identity management market.

IBM acquires Encentuate
First up is the acquisition of Encentuate, a provider of enterprise single sign-on (E-SSO) and strong authentication technology, by IBM (see the press release here). The big effect of this acquisition will be on customers who bought IBM’s current offering in the eSSO space – IBM ITAM ESSO (that mouthful stands for IBM Tivoli Access Manager for Enterprise Single Sign-On). That product was based on an OEM of Passlogix’s v-GO product suite. Obviously IBM cannot have two products in their stable doing the same thing, so the logical assumption is that over the next release or two, ITAM ESSO will shift from being based on the Passlogix technology to the Encentuate technology.

You can read the views of some folks on the acquisition here, here and here. I found Ian Yip’s reaction most interesting, especially since he used to work at IBM. He pulled no punches in telling customers of ITAM ESSO what to expect, saying that in the future they will be forced into an upgrade that isn’t really an upgrade:

“What marketing won’t say is that the “upgrade” from 6.0 (based on Passlogix) to 7.0 (based on Encentuate) is essentialy a rip and replace. There is no seamless upgrade. Sure, they’ll probably offer some tools to “help”, but the upgrade process will need professional services either from IBM Software Services or IBM Business Consulting Services because the single sign on templates will be completely different between the Passlogix and Encentuate products.”

Ian thinks that IBM ITAM ESSO customers are the losers in the deal (along with Passlogix, who suddenly lost a revenue stream). However, it doesn’t really have to be that way. Passlogix is also the OEM component in Oracle’s E-SSO offering,
Oracle Enterprise Single Sign-On Suite (something that Ian believes raised IBM’s ire). So there is another option available to ITAM ESSO customers – instead of doing a rip and replace of ITAM ESSO with the next version of ITAM ESSO, do an upgrade of ITAM ESSO to Oracle eSSO Suite. Being based on the same product, the shift is sure to be so much smoother. And you get the added benefit of direct integration with Oracle Identity Manager, through the Oracle eSSO-Provisioning Gateway that Oracle ships.

Of course this sounds self-serving, and a bit simplistic, but it is also quite logical, and likely to be an approach that could save many an enterprise many a headache.

And IBM’s move certainly serves as validation of the maturity and viability of E-SSO as a technology.

Microsoft acquires Credentica
Next is the acquisition of Credentica by Microsoft. Credentica’s U-Prove technology attempts to tighten up the security of identity transactions by decoupling the parties involved in a manner that prevents transmission and use of extraneous data, without sacrificing authenticity of everything involved in the transaction. It uses PKI technology to secure the authentication and identity data flow between an Identity Provider (Issuer) and a Service Provider (Verifier) in a user-centric manner. The big claim of the technology is the ability to enforce minimal disclosure of identity data (also referred to as “zero-knowledge” proofs for privacy).

In layman’s terms, the U-Prove technology claims to provide people a way to disclose personal information in a manner that does not threaten their privacy, or expose them to identity theft. It also limits the disclosure of information to unintended parties, preventing accounts from being linked across different service providers. Kim Cameron does an excellent job of explaining (and making a case for) all this on his blog.

Everyone is talking about the ability of U-Prove to immediately provide a security layer to Microsoft CardSpace that it previously lacked. The way that managed cards work, the IdP can accumulate knowledge about the user by analysing the card requests it is fulfilling on behalf of the user. Minimal disclosure tokens make it possible to obfuscate the SP interaction, making it impossible for the IdP to understand how the issued cards are being used, thereby rendering it unable to aggregate any information.

To understand more, read this article in eWeek’s Microsoft Watch.

Tags: Access Control Management, Identity 2.0, Information Cards, Oracle Identity Management, Oracle Identity Manager, Personal Identity Management, User-Centric Identity

While some worry that the entry of such corporate entities could change the focus of what (till now) has been a community and consumer-oriented project, I weigh that against the fact that OpenID would not be relevant in consumer identity unless these players not only accepted it, but championed it. So I think this is a great thing for OpenID.

I am hoping the next step will be that these services start accepting 3rd party OpenIDs instead of just being providers. I look forward to using my Google OpenID at Yahoo.

Tags: OpenID, Personal Identity Management, User-Centric Identity

Predictions are risky business, especially in the slightly schizophrenic world of IdM. On the one hand, things tend to move way too slowly; on the other hand, things emerge out of nowhere to take center stage. So I tend to shy away from making predictions. But I will talk about what I hope to see happen in the coming year. These are not impractical, fantasy wishes that will require me to find a magic lamp buried in the sand. These are things that have a good chance of happening if we as an industry stay focused.

Integrating Risk Management with Identity Management
Recent events have brought to light the need to build comprehensive integration between risk management and identity management software. Oracle’s acquisition of Bharosa last year was a response to marketplace demand to bring more context into the identity management process. There is a better understanding of the complex heuristics that need to become part of identity management decisions, and how to encapsulate them as workflow and rules. The coming year should bring more tools and more capabilities in these areas.

For the longest time, people would talk about integration in the context of product suites. The focus will now shift to integration in the context of pre-canned and pre-defined solutions and workflows.

Role Management Comes Into Its Own
Over the last couple of years, we have seen Role Management become an established part of identity management. But its real value will be realized when it stops being an explicitly deployed and managed part of IdM (a la access management) looking for consumers, and evolves into a business tool that is deployed within the enterprise context of provisioning, entitlement management and ERP. A number of other folks have already challenged vendors to do this, and hopefully a lot of work going on in this area will come to fruition.

The Evolving Identity Framework
There are a couple of things I hope to see happen this year that will help us move towards our ultimate vision of how identity is used.

• The Identity Services message has been very well received every time I have presented it. In the last year I met a number of individuals, like the folks from the Jericho Forum, the Concordia project, and a number of people at various conferences, who are really committed to changing how Identity becomes part of application development and deployment frameworks. Hopefully the coming year will see some concrete progress made in defining the necessary framework architecture that will enable the externalization of identity from applications
• We have seen everybody and their mother make moves to become OpenID Service Providers, especially the big identity silos. Hopefully this year will see an explosion of services that are OpenID Relying Parties, including some of those same big players. The real adoption of OpenID will come not from the glut of OpenID SP’s, but from the widespread availability of services that accept OpenIDs and do not require registration and username/passwords.
• I also hope to see someone take the Identity Oracle concept and create a viable business out of it. It may not explode right away, but it will start to emerge. It seems obvious that the easiest place for this to happen is in social networking applications like Facebook. They already hold a lot of identity information that they then serve to other applications (those annoying, currently non-critical Facebook apps that clutter everyone’s profile). Putting in place more controls on how my information is shared and with which apps, and then opening the walls to outside applications would be a logical progression in the evolution of identity providers for internet applications. I also hope to see the Identity Governance Framework become part of such a control framework in any Identity Oracle.
  And then hopefully at the start of 2009 I will be commenting on my hopes for the acceptance of internet identity framework tools within the enterprise.

Your Hopes
What are your hopes for the coming year? Leave a comment, or email them to me, so that we can add them to this list. and hopefully take notice.

Tags: Entitlement Management, Facebook, Identity Governance Framework, Identity in Social Networking, Identity Services, IGF, OpenID, Personal Identity Management, Role Management

Most of today’s social web applications (like MySpace and Facebook) are persona-based, not identity-based. What I mean is that these applications don’t really care about who you are, they only care about letting you be what you want to be within their context. So, it is not surprising that a 47 year old woman was able to pose so devastatingly as a 16 year old boy, because in essence that is what MySpace was built to be – a way to express a persona of your choosing.

Why don’t these applications, that know the kind of impact they can have (we all understand the threat predators pose online) on a persons life, care about who you really are? Because, bluntly put, they can’t. It is not possible for them to do that in a scalable, cost-effective manner. The lack of a solid identity framework for the internet prevents these applications from being truly identity-based. We have seen a push towards heavy-handed identity verification mechanisms (see my earlier post about identity verification in Second Life), but those solutions are so costly (time, infrastructure, cost) as to be impractical for most web applications. This kind of model will effectively curtail the free-wheeling collaborative spirit prevalent in the current generation of internet apps, and throttle innovation. If you had to stand in a line somewhere for 4 hours, and had to show your passport to someone, just so you could sign up for a Twitter account, would you?

A one-size-fits-all approach is not the answer. The correct solutions in life only come from taking a balanced approach to the problem. Nothing is more annoying to me when adding a Facebook app than being
required to check the box agreeing to share my information with the
app, even though I know that it doesn’t need any of it, and most likely isn’t using it at all. Consequently, I avoid adding those apps unless I really want to.

This is where pieces like Bob Blakely’s Identity Oracle, the Identity Services model, Burton’s Limited Liability Persona, the IGF and user-centric methodologies have to all fit together. We do need strong identity verification mechanisms, but we shouldn’t need to go through that for every single site we want to use. Indirection is the solution to many a problem, and the right identity framework for the internet is the necessary thing to have this identity verification feed into a platform level identity that multiple applications can build on.

This is also needed as a necessary step to support pseudonymity online. The goal of an identity framework is not to prevent people from creating online personae that are
divorced from reality. It is to give applications the ability to create
suitable boundaries within which such a persona can be created. Using this,
an application like MySpace, where the identity consequences can be so
devastating, can choose to, for example, prevent people whose identity
is in the 30+ age group from creating a persona that is in the 10-20
age group.

Like so many things in modern life, we have gotten immune to all the horror stories of online predators. Until a story like this comes along to remind us that these are important things that we are working on, and we need to get it right.

Tags: Facebook, Identity Governance Framework, Identity in Social Networking, IGF, Megan Meier, MySpace, Personal Identity Management, User-Centric Identity

“When we talk about the social graph we are talking about the set of connections, friendships, business connections, acquaintances, that everyone has in the world… We are trying to take the social graph that exists in the world and try to map it out… We have a model of social graph that we are constructing.”

At least he has the concept right.

You can read the New York Times BITS blog post here.

Tags: Facebook, Personal Identity Management, Social Graph