My Catalyst 2009 Tweet Stream

7/27/2009
5:28 PM @iglazer loved FB privacy mirror. What interested me the most was how much of my friends data was shared with apps I installed #catalyst09
3:31 AM Interesting day at Concordia workshop today. Its (painfully) obvious that THE issue to solve is AuthZ, in all its manifestations #catalyst09
7/28/2009
11:26 AM Sitting in the ‘Cloud Computing Security and Identity Management’ SIG meeting #catalyst09
11:35 AM Ebay Chief Security Strategist Liam Lynch speaking about cloud computing (what they call fluid capacity) at ebay #catalyst09
11:40 AM Moving to cloud computing can be an opportunity to fix broken internal processes – Liam Lynch, eBay #catalyst09
11:42 AM Cloud Architecture: Interoperable interfaces to enable mobility and several levels of interfaces (IaaS, PaaS, SaaS) #catalyst09
11:44 AM eBox (eBay in a Box) sounds interesting – software that is IDE integrated, SOA that allows 3rd party devs to create auctions #catalyst09
11:45 AM eBox requires security considerations to be made inherent as eBay cannot rely on the 3rd party devs to not make mistakes #catalyst09
11:47 AM eBay uses behavior and reputation as underpinnings for their identity management strategy #catalyst09
11:51 AM Liam describing a claims based identity model consisting of static, semi-dynamic and dynamic claims. #catalyst09
11:53 AM Reputation and behavior analysis generates (over time) dynamic identity claims that then get used in access control mechanism #catalyst09
11:59 AM Liam describing how Role-based Access Control was insufficient for them (because of scale), and they had to move to claims-based #catalyst09
12:09 PM @paulmadsen Thats what I understood. In some sense, a next generation ACL #catalyst09
12:11 PM Must remember to follow up with Liam regarding the whole RBAC vs CBAC (Claims-based Access Control) thing #catalyst09
12:12 PM Nils Puhlmann, co-founder of the Cloud Security Alliance now speaking to the SIG #catalyst09
1:09 PM Everyone wants to get to the point where there is a checklist that CSPs (Cloud Service Providers) can be evaluated against #catalyst09
1:39 PM @paulmadsen Likely. Nils made point that our industry history points to a long, confusing path. More checklists=more confusion #catalyst09
1:41 PM Nils, CSA – I have not seen one security vendor announce that they will build security tools focused on the cloud #catalyst09
1:43 PM Dan Blum pointing out that Symplified, Novell have shown focus on cloud security. Also pointing to Layer7 #catalyst09
1:44 PM Liam points out that eBay has looked at some vendors, and the issue has always been whether they can scale to eBays needs #catalyst09
2:06 PM OK. So got clarification on the RBAC vs CBAC issue from Liam. He explained that it is both a compliance, an admin & a perf issue #catalyst09
2:07 PM On the management side, the claims on the user are generated at run-time based on the organizational dynamics (a rule) #catalyst09
2:08 PM So they replaced reassignment of user from one role to another with reassignment of user from one org to another. #catalyst09
2:09 PM Somehow this is more compliant. Not sure I understand that, unless role reassignment in their environ had no workflow controls #catalyst09
2:12 PM Hmm! @pamelarosiedee pointing out that the CSA guidance doc doesn’t cover provisioning, and asking why that is #catalyst09
2:13 PM Hmm! @pamelarosiedee pointing out that the CSA guidance doc doesn’t cover user provisioning, and asking why that is #catalyst09
2:38 PM Lot of discussion has focused on the need for CSPs to be much more transparent so consumers can accurately measure risks #catalyst09
5:18 PM People making the point that policy management is a key ingredient in an identity services env that is currently not covered #catalyst09
6:31 PM Group is now working on the AuthZ service. First up: a debate on the meaning of Policy (vs policy) in context of P*P #catalyst09
7:49 PM The AuthZ discussion has been very good. Strong push towards trying to condense the best of what’s out there and prior work #catalyst09
1:09 AM Hanging out with some of the cool cats of identity at Osetra. Come by if in the area #catalyst09
3:38 AM If today has been any indication, this is going to be a good conference and a fun time #catalyst09
7/29/2009
11:41 AM And away we go….sitting in the Identity and Privacy track at #catalyst09
12:04 PM Panel – Layoffs, slew of M&As (more As) and need to improve efficiencies are big reasons why investment in IdM is sustaining #catalyst09
12:20 PM Mark Diodati pointing out main thing I’ve always said holds back SPML – way too flexible => no schema => integration complexity #catalyst09
12:31 PM Lori – Vendors and Analysts have ignored the need for management of entitlements, a pain that customers feel daily #catalyst09
12:46 PM Panel – DLP becoming an increasingly important market that is getting connected to the identity management market #catalyst09
12:57 PM Ian Glazer pointing out that the identity community is uniquely qualified to deal with the emerging privacy issues #catalyst09
1:02 PM Michael Barrett of Paypal about to speak about consumer identity #catalyst09
1:24 PM Not sure I learnt anything from the Paypal presentation. Michael avoiding saying whether Paypal will become an IdP #catalyst09
1:34 PM Michael sort of hinting that consumers will not pay for high assurance identity UNLESS forced to do so by …? #catalyst09
1:58 PM @paulmadsen True. I think high assurance IdPs could charge businesses that don’t want to incur cost of building their own #catalyst09
2:03 PM Hmmm…Bob Blakley – cloud computing value prop is that integration/test/deploy is done on vendor time. Something seems missing #catalyst09
2:25 PM Most interesting point Bob made: Cloud Identity Services will challenge fundamental architectural notions of IdM Infrastructure #catalyst09
2:33 PM Bob says we need to move from identification (via user challenge) to recognition (via Id Svcs) for better user experience #catalyst09
2:37 PM By the way, shout out to @iglazer for mentioning me in the morning panel as bashing him for restarting a terminology war. #catalyst09
2:37 PM Nothing I like better than bashing my analyst friends 🙂 #catalyst09
2:40 PM @paulmadsen What authorization decisions in the “Hooters” context were you hoping to learn about and exploit? 😉 #catalyst09
3:01 PM RT @mgd: Critical element in implementing entitlement management is adapting applications to fine grained policy infrastructure. #catalyst09
3:05 PM Going to hear about Identity Oracles now, which is a fascinating topic #catalyst09
5:14 PM Kevin Kampman sharing his analysis of the role management scene based on discussions with customers #catalyst09
5:19 PM What’s Broken = Shifting definition of role mgmt and fragmentation of features, lack of common understanding #catalyst09
5:25 PM What’s Real = Tools actually secondary. First and foremost Role Mgmt is about understanding, designing, documenting #catalyst09
5:28 PM @jonathansander Intent matters, as Michael Barrett pointed out.Becoming IdP should be driven by biz value, not tech ability #catalyst09
5:29 PM @jonathansander So if you are an Identity Oracle charged with protecting my identity, you will build those protection features #catalyst09
5:42 PM RT @MatHamlin: In Role Mgmt, you need framework for execution. Includes biz owners/sponsors, technology, goals, and expertiece #catalyst09
7:17 PM @paulmadsen I don’t think it was ever just Yes/No answers. It was answering the question without giving away more than it should #catalyst09
7:18 PM Back in the IdPS track after some work calls #catalyst09
7:28 PM The term “Entitlement Mgmt” causes confusion between the process for defining/managing them and the products to enforce them #catalyst09
7:30
PM
Interestingly, the term “Claim” has not been used once (to my knowledge) so far today in any session. Wonder why that is #catalyst09
7:34 PM @ggebel @jonathansander Looks like I spoke too soon. Wonder if I can add “foreshadowing” to my list of superpowers 🙂 #catalyst09
7:36 PM @ggebel @jonathansander But after all the talk about claims, esp. in some of the SIG mtgs, I’m surprised at only a fleeting ref #catalyst09
7:54 PM RT @ggebel: asking business to help define roles is a nonstarter. talk to them about their business process – Paul Rarey Safeway #catalyst09
8:04 PM David Laurance just did a rundown of 6 objectives for using roles, and opines that those 6 are unrelated. I don’t think so #catalyst09
7/30/2009
12:18 PM Interesting! Mark Diodati: Companies are using Virtual Dir to expose the same identity data in diff forms for diff use cases #catalyst09
12:20 PM So the theme of todays IdPS track is “achieving efficiencies”. Might oscillate between this track and the cloud computing track #catalyst09
12:44 PM The questions from the audience for the Allstate presenter are pretty high quality and in-depth #catalyst09
12:48 PM Switched to Cloud Computing track for security discussion #catalyst09
12:51 PM Major risks from moving to cloud computing – (1) multi-tenant, dynamic characteristics puts sensitive, regulated data at risk #catalyst09
12:54 PM (2) Vendor viability risks (3) DoS attacks on SP create risk for customer (4) lack of transparency, accountability lowers trust #catalyst09
1:00 PM Dan Blum pointing out that cloud security gets evaluated unfairly, in that internal IT security isn’t evaluated at same level #catalyst09
1:02 PM Dan: While security considerations for using cloud services are largely same, security processes themselves may need rethinking #catalyst09
1:05 PM Key security enablers for Internal Clouds: Enterprise Key Mgmt, Identity and Policy Svcs, Strong AuthN, Federated Identity #catalyst09
1:08 PM Burton recommendation on Enterprise use of public clouds: Don’t, in general, use public clouds for sensitive applications #catalyst09
1:24 PM @rohanpinto Not exactly, and a question pointed out the issue: How would you classify Salesforce? It’s considered sensitive data #catalyst09
2:51 PM Take away from AD Unix IdM bridge talk: normalize Unix namespace, and clean AD trust relationships. #catalyst09 (via @darrenyamaki)
3:14 PM Sony: Virtual Dir deployed on top of geographically local LDAPs allowed us to satisfy data compliance needs #catalyst09
5:08 PM Starting 2nd half of IdPS track which is about Identity transparency and governance #catalyst09
5:22 PM Forces impacting Enterprise IT: Externalization (cloud, outsourcing), Consumerization (devices), Democratization #catalyst09
5:25 PM @iglazer @djrolls I think of it more like the different quadrants of the brain that work together for whole brain thinking #catalyst09
5:28 PM IdM must facilitate both hierarchical orgs that are necessary for enterprise controls and social networks necessary for collab #catalyst09
5:54 PM Dave Griffeth, RBS Citizens Bank providing a nice overview of how Roles-based Entitlement Certification can support compliance #catalyst09
6:02 PM Dave setting out some analogies that could take hold -> “RBAC is like Communism” and the “Model After Virus” #catalyst09
6:21 PM Dave recommends: To ensure visibility & avoid issues, ensure each group in LDAP that controls access is specific to a resource #catalyst09
6:22 PM Not sure about that last recommendation from Dave. Works for sure, but defeats some of the objectives of role management #catalyst09
6:25 PM Interesting that quite a few use case studies this years are talking to 2nd phases or iterations of IAM programs/deployments #catalyst09
6:27 PM Wendy Booker, SunTrust Banks: In role modeling efforts, 20% of the population was 80% of the problem. All because of modeling #catalyst09
6:30 PM Wendy Booker, SunTrust Banks: In role modeling efforts, 20% of the population was 80% of the problem. #catalyst09
6:36 PM SunTrust eliminated model-as problem by letting managers look at access one of their reports has, and select for a new report #catalyst09
6:38 PM @MatHamlin Not at all, because “like” users is never compliant if it can’t be converted to a role (based on your question) #catalyst09
6:42 PM SunTrust: Even if you give user ability to select from application catalog, it usually isn’t good enough because they don’t know #catalyst09
6:42 PM Cognitively, being able to see what someone similar has, and select from that, works better #catalyst09
6:45
PM
@MatHamlin Probably a good idea, especially if it is a candidate role that will reviewed and certified before going live #catalyst09
7:24 PM Burton: Complexity is the enemy of transparency. One vote for an identity services world #catalyst09
7:30
PM
Role models should be tied to functional structures, not organizational structures as those are too fluid, resulting in chaos #catalyst09
7:34 PM No love for provisioning systems this year. Burton: Provisioning Systems are ill-suited for all the expectations hoisted on them #catalyst09
8:50 PM Rohit ended by echoing Oracle’s commitment to keeping Sun IdM customers happy/satisfied through any transition #oracle #catalyst09
9:00
PM
2nd day of IdPS track over. Really looking forward to the privacy related sessions tomorrow. #catalyst09
9:00
PM
And now, drinks! See you at the Oracle Hospitality Suite #catalyst09
7/31/2009
11:34 AM Kicking off the Privacy track on the last day of Catalyst with Bob Blakley #catalyst09
11:35 AM @paulmadsen Just letting the market decide (even though our booth babe was a guy in a yellow suit escaping from a strait-jacket) #catalyst09
11:38 AM Bob: Privacy is about personal dignity #catalyst09
11:43 AM Principles of privacy: Accountability, Transparency, Meaningful Choice, Minimal Collection & Disclosure, Constrained Use, … #catalyst09
11:44 AM Principles of Privacy (cont’d): Data Quality & Accuracy, Validated Access, Security #catalyst09
11:49 AM David Miller, CSO Covisint talking about privacy in healthcare, which has specific, unique issues #catalyst09
11:54 AM IAM is about privacy, not security. Security=Make it difficult to get something, Privacy=Make it easy to get what you should #catalyst09
12:08 PM The Covisint Healthcare Information Exchange (HIE) allows for exchange of data between the endpoints (hospitals, doctors,…) #catalyst09
12:17 PM Robin Wilton (@futureidentity) speaking on how to have a productive stakeholder discussion on privacy #catalyst09
12:19 PM Robin ran series of global round tables as part of Liberty Alliance Privacy Summit to get contextual understanding of privacy #catalyst09
12:27 PM The Basic Identifier Set viewed as pretty deterministic by most govts, but it can change over time (Name, DOB, Gender, …) #catalyst09
12:46 PM Robin laid out a “Ladder” framework for the multi-stakeholder discussion (Philosophy | Strategy | Implementation | Technology) #catalyst09
12:46 PM Hear hear! RT @mgd: Robin Wilton’s “Onions and Ladders” privacy discussion = most intellectually stimulating presentation at #catalyst09
12:47 PM Now speaking: Bob Mocny, Director US-VISIT – the largest biometric authentication program in the world #catalyst09
1:56 PM OK. Break over. @iglazer now dazzling us with regulations and laws that are going to change everything #catalyst09
1:59 PM Ian: IT Security Audits will not address privacy needs. #catalyst09
2:03 PM The new ecosystem of IT, Business partners is going to fundamentally alter privacy, breach remediation programs #catalyst09
2:20 PM Heidi Wachs, Directory of IT Policy and Privacy Officer at Georgetown Univ talking about perspectives on protecting privacy/data #catalyst09
2:23 PM Georgetown has a Data Security Task Force – representatives: CFOs of all campuses, VPs, CIO, Privacy Officers #catalyst09
2:25 PM Different privacy officers in different realms – IT PO under CIO, HIPAA PO under Legal Counsel and FERPA PO #catalyst09
2:26 PM UCLA (part of joint presentation) has a Privacy Board instead of Privacy Officers, w/ representatives from diff constituencies #catalyst09
2:31 PM Interesting! For their data breach investigations, Georgetown was assisted by MPD and Secret Service, while UCLA by FBI #catalyst09
2:41 PM Georgetown created an interim policy on the use, collection and retention of SSNs which laid out how SSNs could NOT be used #catalyst09
2:41 PM When they tried to enforce it, the process was a nightmare. Vendor Certification Process reveled that it was everywhere #catalyst09
2:42 PM Worse, people started hiding stuff so as to avoid getting in trouble. So Georgetown started doing network scans #catalyst09
2:43 PM This was disruptive, ruffled feathers and created issues with partners #catalyst09
2:53 PM Excellent presentation by Heidi #catalyst09
2:54 PM Excellent presentation by Heidi, primarily because it was a honest, raw look at how data breaches are handled and implications #catalyst09
2:55 PM Shuman Ghosemajumder, Biz Product Manager for Trust and Safety at Google speaking now #catalyst09
2:57 PM Googles approach to security is custom, because everything they do has to be custom by the nature of Google #catalyst09
3:07 PM Example of transparency & choice: Blurring of peoples faces, license plate numbers (automatically) in Google Maps Street View #catalyst09
3:09 PM Shuman now talking about privacy implications of Interest-based Advertising (as opposed to contextual page content based ads) #catalyst09
3:20 PM Google anonymizes server logs after 9 months – drops last octet in IP address, removes username(?) #catalyst09
6:35 PM End of another great Catalyst conference. Session content was excellent, had wonderful discussions & made some great connections #catalyst09
11:59 PM Boarded flight back home. Upgraded too. Been a wonderful week here in San Diego at the Catalyst conference. Now back to reality #catalyst09