OpenSSO and the role of web based SSO
P.T.Ong recently posted his thoughts on the newly announced released of OpenSSO (formerly Sun Java Access Manager which they have now open-sourced).
In his post he raises the point:
“The biggest challenge in rolling out these systems is that you had to
integrate it to the backend servers, resulting in very slow deployment
projects”
I have been deploying web based access control systems for a number of years now and have a couple of thoughts on this.
Firstly, I think it is a mistake for people to see the web based access control (WBAC) products from the traditional vendors(Netegrity (now CA), Oblix (now Oracle), Sun, IBM etc etc) as purely SSO products. Which SSO is one of the features, it is not the only purpose of these products. As well as providing an element of SSO they can also handle the authorisation for access to the applications. I won’t go on to list all the other benefits that they provide (such as centralised management and centralised auditing) as i’m sure you are aware of their capabilities. One of the problems with touting a product as an SSO product is that customers think that you install it and it magically provides SSO to everything under the sun with not changes necessary at their end. With WBAC products this just isn’t the case. As P.T. Ong eludes to there is an element of integration work which usually must be undertaken, unless you application happens to already support external authentication mechanisms.
The second issue I have when people are deploying WBAC systems is that they quite often install the software and then try to retro-fit every web based application under the sun into this new product. Whilst this is an admirable idea, the effort normally required can be quite immense. You also find that the customer will try to integrate an application that may be used by 2 or 3 people in the organization or try to integrate an application that is due to be replaced in x months. By adopting a pragmatic approach, a successful deployment can be achieved. Being realistic, looking at integrating your key applications is a good idea. Then, not only are you providing benefit for those key applications but you now have a central security platform that can be used by the developers of the new applications. You can also ensure that any new web based application that are bought off the shelf are compatible and integrate with your new security infrastructure.
Deploying a WBAC is about building a central security framework that can be used across the organisation for not only SSO (i.e authentication) but also for authorisation and auditing. If you bear this in mind, your deployment will be much quicker and more successful.
Technorati Tags: security, sso, single sign-on, web based access control, access control, opensso, identity, authorization, authentication
DON’T FORGET MY BLOG HAS NOW MOVED TO HTTP://BLOG.PDTOAL.COM
Linking Physical and Logical Security
There is more and more rumblings within the industry of late about the convergence of physical and logical security within the enterprise. Nishant mentions it here, pointing to a piece by one of his colleagues, Anshu Sharma, here.
As yet, I haven’t seem a good definition of exactly what people refer to when they talk about physical to logical security. In my mind there are a number of different potential meanings.
1) A Single Authenticator with a Single Authentication Method
With this method, the most simple method of convergence is shown. Here, the user is given a single ‘token’ to use for authentication. This may be in the form of a proxy authentication (see Phil Beckers article here on proxy authenticators) e.g. smartcard, RFID token or magnetic strip card etc. However, it might also be in the form of a actual identifier such as a biometric, e.g. fingerprint, retina etc.
Using this method, the user would use their authenticator to access the building using the physical access control (swipe card reader, HID reader etc) and then they would also use the same authenticator to sign-on to their PC. There is no connection between the two systems other than the fact that they use the same authenticator.
2) A Single Authenticator with Multiple Authentication Methods
This method is similar in concept to the first idea above. However, in this scenario the user may have a single authenticator but use different methods of authenticating with it. For example, with a proxy authenticator, the user may have a single card which has a smartchip on it but also HID built into it. They may use the HID to access the building but then put the card into a smartcard reader on their PC and use the information on the smartchip to log into the network.
3) Multiple Linked Authentication Methods
This method extends the above two methods by linking together the two instances of authentication instead of treating them as two separate entities. Using this approach, the user would use their physical authenticator access the building and pass the physical security. The user would then use a second authenticator to log onto the network. However, the software on the PC would check to see if the user had passed physical authentication before allowing them onto the network. If the user hasn’t ’swiped’ through the door, they will not be allowed to log on. Similarly, if a user has ’swiped’ through the door, they might not be allowed to authenticate a remote VPN connection to the network. The software can be tuned to ensure that you have not only ’swiped’ into the building but that you have also ’swiped’ into the correct part of a building (think about shared office buildings).
4) Single Linked Authentication Methods
This variation on the previous method uses a single authenticator
for both the physical and logical controls instead of separate
authenticators. Therefore, the user would authenticate to the physical
security using an authenticator such as the chip on a smartcard. The
user would then use the same chip on the smartcard to access their PC
and log onto the network.
To me, when we are talking about converging physical and logical the only real benefit to security comes when you are using methods 3 or 4 above. Depending on your scenario you may want to try and move towards a single method of authentication. Alternatively, you may (and probably will) want to look at using multiple levels of authentication. Think about a typical office environment. You will probably have different parts of the building that are more sensitive than others. Therefore, does it make sense that a user should use different, more trusted levels of authentication to access the sensitive parts of the building. What about the PCs in those sensitive areas? If you require biometric to access the sensitive area at the point of entry, doesn’t it make sense that you might also expect a higher level of trust when accessing computers within that sensitive area.
There are some very interesting alliances emerging between companies trying to bridge the gap between physical and logical security. I think that this area will gain popularity quickly as people start to realise the true benefits you can receive from the combined approach.
DON’T FORGET MY BLOG HAS NOW MOVED TO HTTP://BLOG.PDTOAL.COM
Moving On…..
Its the end of an era!
I have been at Enline plc for nearly 10 years now (must be nearly a record), working predominantly in a consulting role at a number of different levels from implementation through to architecture. During that time I have seen a lot of changes within the company as well as number of changes for me personally. However, I have now decided that it is time to move on and take the next big step on that career ladder.
Therefore, as a result, I have accepted a position as a Senior Technical Strategy Consultant with Cap Gemini and will be starting with them mid-September. My role will still be in the Identity Management space with an initial focus on Federation working as a Federated Identity Architect. I see this as a very positive move for me and one that I think I will find challenging but at the same time rewarding.
As far as Enline goes, I have nothing but respect for the people who work there and show the dedication and commitment required to make a small company as successfully in a competitive market as Enline has been for over 20 years and continues to be. I have had the opportunity to work with some very skilled and talented people who have taught me a lot, not just professionally but also personally. I have made some great friends at Enline who I will stay in touch with.
I wish Enline every success for the future in the same way that they have done for me.
Meanwhile, I look forward to seeing what challenges and opportunities my new role presents in the coming months.
DON’T FORGET MY BLOG HAS NOW MOVED TO HTTP://BLOG.PDTOAL.COM
More from Jason Kolb on Reinventing the Internet
Jason Kolb has posted the fourth part of his series on “Reinventing the Internet”. I have blogged about two of his previous three posts here and here.
I don’t know where Jason gets his inspiration but I continue to be impressed.
However, there are a couple of queries I have about his most recent flash of genius.
Firstly, he talks about how applications will no longer work in the traditional sense:
“Thus, instead of a user registering to use an application as it
typically done with Web applications these days, we need to turn this
concept around and the application now needs to register with the user.”
My question around this would be how the application would deal with users’ permissions. If I own my private server and therefore my own online Identity, are the only claims that I hold on the server self-asserted ones? Therefore, when I launch and application, how does it know what permissions to give me in the application? Is this just based on the self-asserted claims that I make? Alternatively, does Jason envisage this private server plugging into something like CardSpace so that I could use third-party verified claims instead of just my own when accessing external applications.
Furthermore, Jason talks about the uses of the private server:
“The user can use it to administer their public Web presence, send and
receive messages, launch applications, and a bunch of other fun stuff
which I’ll talk about another time.”
I wonder if the launching of applications could be done by using something like Heartbeat-ID that I have talked about previously? Is this the sort of way Jason was thinking about launching and running applications or has he not gone to that level of detail yet. Plus, it does rely on Heartbeat-ID open-sourcing their software used to launch applications.
Jason has clearly thought through his idea well and I can’t wait to see a working prototype put out to the wider Identity community for comments, feedback and input.
DON’T FORGET MY BLOG HAS NOW MOVED TO HTTP://BLOG.PDTOAL.COM
Using your Online Identity
Jason Kolb has blogged the third part of his idea of how to give an online identity to the masses and what they can do with it. This extends his previous postings (here and here) which I commented on here.
I find this whole concept of his very interesting indeed. What he seems to be doing is taking the existing URI based Identity services (e.g. OpenID, LID etc) and extending them so that, in his words:
“As cool and ingenious as technology like OpenID
is, it’s really a band-aid of sorts to fix the fact that people’s data
doesn’t currently live at their own domain. When everyone owns their
own domain (the how of which I posted about in part two), the problem just goes away.”
According to his post, Jason has started working on getting the software for the sites needed up and running. I will be following this with great interest to see where it goes. On the face of it, his idea seems very solid and looks to only extend the hard work that Netmesh and other people have put into protocols like OpenID and take it to the next level.
DON’T FORGET MY BLOG HAS NOW MOVED TO HTTP://BLOG.PDTOAL.COM
Application-Centric IdM – Is this not already here?
Defining Application-Centric IdM
Whilst catching up with everyones feeds after my recent holiday, I came across this post by Nishant Kaushik of Oracle about Application-Centric IdM and its definition.
During his post he states:
“The idea is that instead of each application having to build these
infrastructures as part of their functionality, they can just avail of
them as ready made, standards-based services. Application-centric IdM
moves away from the traditional system management style of IdM,
focusing instead on the creation of an IdM infrastructure that
customers deploy to expose these services for their applications to
plug into their own business processes. It makes identity (and
security) an integral, yet abstracted part of the development process.”
I’m not sure I fully understand the difference between what he is describing as Application-Centric IdM and Enterprise IdM as we have known it for some time.
He seems to be saying that you abstract the IdM and security requirements of the application out into a separate, open standards based layer and then use this from within your application. To me, this is what your access management application (a la SiteMinder, CoreID, Tivoli Access Manager etc) have been doing for years and what each of these vendors have further developed (mainly through acquisition) to encompass IdM as well (a la Identity Manager (CA), Identity Manager (Sun), Tivoli Identity Manager etc). Do these vendors not already provide the functionality that Nishant is referring to in this new term of Application-Centric IdM. Through the use of provisioning, it is already possible to manage application permissions from an abstracted and centralized platform.
I may have missed the point of Nishant’s post. If so, please feel free to correct me but at the moment I aren’t sure why there seems to be this new term for something that has been around for some time.
DON’T FORGET MY BLOG HAS NOW MOVED TO HTTP://BLOG.PDTOAL.COM
Gloria Gaynor does security
Saw this great post by Emergent Chaos. It seems Gloria Gaynor now does security!
Excellent 
DON’T FORGET MY BLOG HAS NOW MOVED TO HTTP://BLOG.PDTOAL.COM
Giving an online Identity to the masses
Jason Kolb has recently been discussing here how the internet is forming an integral part of our lives. He further goes on to describe (here) his quite ingenious plan for giving out domain names to the masses. Not top-level domains as current internet savvy people have, but sub-domains that the ordinary “Joe Public” can have. As Jason states:
“Obviously, it’s not feasible to expect the general public to pay $7.99
a year for something as abstract as a domain name. The only way to
really make this happen, I realized, is to give them away. However,
it’s not realistic to think that there’s any possible way to buy
everyone on earth a domain name. The registration fees alone would
just be massive. However, you can give away sub-domain names, for absolutely nothing.”
What a great idea Jason! I can’t believe that no-one has thought of this before but it does appear that you are the first.
Not only does this make sense to allow more people to gain their own “online presence” but also removes the problem of finding unique top-level domain names. I know this too well already. Recently, I have jumped on the domain name ownership list by deciding to host my own online presence. When I went looking for a domain name to use I tried to two obvious ones (well obvious to me):
www.toal.com
www.paultoal.com
Both were already registered. Therefore, as you will see if you are reading this, I ended up opting for
www.pdtoal.com
What Jason is doing is minimising this problem. However, how long before I can’t register paultoal.atmy.name or pdtoal.myidentity.name because someone else has got them
DON’T FORGET MY BLOG HAS NOW MOVED TO HTTP://BLOG.PDTOAL.COM
My Blog is Moving
At long last I have bought my own domain name and some web hosting space.
I have always put this off in the past due to time and effort. However, since starting my blog a few months ago, I have realised that I would like to be able to customise it further than the hosted WordPress site lets me. Therefore, I decided it was time to host my own.
Therefore, my new blog is hosted at http://blog.pdtoal.com.
N.B. PLEASE UPDATE YOUR RSS READERS WITH THIS NEW ADDRESS.
I will continue to post to both sites for a while until the stats of my old blog drop.
For the moment, my new blog is fairly similar in look and feel. However, as I progress I hope to add a number of plugins and customise the look and feel to something I am happier with.
I have copied all my historic posts over from my original blog but a problem with WordPress seems to prevent me from migrating the comments as well. Therefore, you will notice that my new blog has no historic comments on it. If anyone has any ideas how to migrate these, great, please let me know.
Back from Amsterdam
I’m back!!
After 4 days in Amsterdam I have returned. What a great place. Both Natalya and I really enjoyed our time there. As usual, we tried to cram loads of stuff in to a very tightly packed 4 days. I can safely say that we managed it. Without boring you too much with all the details, below are some of the main places we visited and things we did together with details of what I thought of them. If you want to see my photos, then click here.
By the way, many thanks to the people who emailed me with suggestions for things to do during my visit to the capital of The Netherlands (see my previous post).
Anne Frank’s House (more info)
We did this on the first day and I was extremely impressed with it. However, it was a little bit spooky walking round the actual house that Anne and her family were hidden in during WWII and thinking about what they must have gone through.
Verdict: 9/10 – A definite recommendation
Van Gogh Museum (more info)
I must admit that I aren’t a great art lover at the best of times but thought I couldn’t come to Amsterdam without trying to appreciate some of the many art exhibitions. Whilst I found the first couple of floors of paintings quite interesting, my interest started to slip by the third floor and the currently touring japanese exhibition.
Verdict: 7/10 – I’m sure an art buff would love it
Boom Chicago (more info)
We booked this before we went through Expedia. From the write-up it looked like the TV show “Whose Line is it Anyway”, i.e. improvised comedy. The show was preceded by a three course meal and cocktails (optional) and then two hours of side-splitting humour. I was in tears half of the time, I found the show so funny.
Verdict: 10/10 – The highlight of the holiday. A must-see!!
Half Day Trip to Delft Pottery (more info), The Hague (more info) and Madurodam (more info)
After sitting on the bus for an hour we had a quick 30 minute look around a hand-made pottery factory (the factory itself wasn’t hand-made, just the pottery . We then sat on the bus for another eternity whilst been shown a panoramic tour of “The Hague”. We got to see all sorts of important buildings. However, we didn’t leave the coach. We then finished off at Madurodam, the miniature village. This was the best part of the tour although we only got 1 hour here so it was a quick jog around, much to the digust of Natalya who wanted to spend at least 2 hours here. However, the village itself was very interesting with the level of detail amazing.
Verdict: 7/10 – Should have had more time at Madurodam
Heineken Experience (more info)
This was an exhibition situated in the ex-factory of Heineken. It was extremely interesting and most of the exhibits etc were actually within parts of the factory. For example, some of the exhibits were inside the aluminium tanks that they used to leave the beer to stand for several weeks. The museum was helped along by the 3 free drinks you got as part of the admission price. Surprisingly, to drink you could have Heineken, Heineken or more Heineken (although they did do soft drinks for the softies!).
Verdict: 9/10 – Well worth seeing
Canal Boat Cruise
Well what can I say about this. I think this is almost a mandatory tour for all tourists to Amsterdam. You sit in a boat for an hour and get driven around the canals with interesting architecture being pointed out.
Verdict: 8/10 – A nice sit down
Overall Verdict: I would definately visit Amsterdam again. It was interesting, clean, easy to get around and there was plenty to do and see. Also, it is close enough that you could fly out for a couple of days and not feel you have spent all your time travelling.
Now that I am back, I have plenty of catching up to do regarding the identity and security world. I’m sure there will be more posts on that soon.
About
Hi, and thanks for looking at my blog.
For those of you who don’t know me and have stumbled across my blog by chance, my name is Paul Toal and I am the Principal Architect for a UK based IT security company, Enline plc.
My main area of interest and specialism is Identity and Access Management. As with most ‘technogeeks’, computers are both my hobby and my job.
-
Recent
- OpenSSO and the role of web based SSO
- Linking Physical and Logical Security
- Moving On…..
- More from Jason Kolb on Reinventing the Internet
- Using your Online Identity
- Application-Centric IdM – Is this not already here?
- Gloria Gaynor does security
- Giving an online Identity to the masses
- My Blog is Moving
- Back from Amsterdam
- Amsterdam Holiday next week
- Funny things kids say
-
Links
- Here, Now
- cn=Directory Manager
- JasonKolb.com
- Marc’s Voice
- Identity Management
- Andre Durand – Federated Identity
- Andy Harjanto’s InfoCard WebLog
- BizTalk + WF Visionary Blog
- Ceci n’est pas un Bob
- Dave Kearns Feed
- Dick Hardt – Blame Canada
- Digital ID World Editors Corner
- Doc Searls’ IT Garage -
- Eric Norlin’s Weblog
- Gil’s Blog
- Identity 2.0
- Identity mangement news
- Identity Woman
- IdM News
- iTickr
- Johannes Ernst’s Blog
- Kim Cameron’s Identity Weblog
- Phil Windley’s Technometria
- Ping Identity Blog
- Sara Gates – From Here to Identity
- Schneier on Security
- Scott C. Lemon: Digital Identity Management
- Sxip Identity – Archives
- The Virtual Quill
- Voidstar: blog
- Wired News
- CNET News.com – Threats
- SecurityFocus News
- The Register
- Wired News: Technology
- Wired News: Top Stories
-
Archives
- September 2006 (2)
- August 2006 (16)
- July 2006 (15)
- June 2006 (9)
- May 2006 (5)
- April 2006 (4)
-
Categories
-
RSS
Entries RSS
Comments RSS
