Now on Twitter
I have taken the plunge and decided that I should have a twitter account. Therefore, if you can’t think of anything better to do and want to follow me: http://twitter.com/paultoal
Authorisation comes full circle
I find it really interesting to look at access control of web-based applications to see how they have changed over the past decade.
When I first started working with Identity and Access management back in 1998/1999, web applications were still emerging and there functionality was limited. At that time people were building silo’d applications containing all of the security within each application. Then along came the web access management (WAM) vendors including Netegrity, Oblix etc. All of these vendors took a new approach to web application security. Their approach was to remove the security out of the application and instead, put it into a security framework which surrounded your applications. This became a common access point which provided a range of features including:
- Web-based SSO
- Authentication
- Authorisation
- Auditing
This was all well and good but as applications developed and became increasingly complex, it became harder to meet all of the applications’ security requirements through this framework. Sure, authentication was straight-forward. Lets authenticate the user and then pass a token to the application containing the user’s identity. This has been done over and over again and is now a very well-trodden path.
However, what about authorisation? This wasn’t so simple. Despite their claims of handling authorisation, the WAM products primarily worked on URL. They were able to carve up the URL into chunks and decide which user’s got access to which chunks. This was fine in some cases, but more often than not, was not enough for many applications.
As applications matured, there were more requirements to do complex authorisation based on defining access control at levels deeper than the URL. The WAM vendors answer typically was to pass some information from the user directory to the application and let the application perform that level of authorisation. I have deployed many WAM solutions during my consulting days. The majority of those used WAM to provide authentication but left the authorisation to the underlying applications. So, we ended up with a half-way house. WAM providing authentication and some high-level authorisation, with applications providing the more detailed authorisation. Not ideal!
Then as the market has matured even more, we see the advent of products like Oracle Entitlements Server which addresses this problem. How do we provide a solution which allows us to not only externalise authentication and the high-level (coarse-grained) authorisation but also the low-level (fine-grained) authorisation? We now have the answer to providing a complete solution in this area.
We can now use WAM to provide the authentication and coarse-grained authorisation whilst allowing an entitlements service to provide the fine-grained authorisation.
Surely, this is where the WAM vendors first imagined we would be, i.e. externalising all of the access control from the web application. It just seems that it has taken us a bit longer than expected to get there.
DNA Database – Finally some sense
At least the European Court of Human Rights respects people’s DNA and doesn’t think the UK Government should keep it for no reason….
Date of Birth on Facebook
It still amazes me that so many of my friends are displaying their date of birth on their public facebook profile.
Don’t they realise how useful this is to potential Identity thief?
Identity Fraud has finally happened to me
Well its finally happened to me.
After been very careful with my credit card details over the years, last week I finally fell victim to Identity Fraud. Yes, whilst checking my credit card transactions online, I noticed a airline ticket that I certainly didn’t buy. A call to my credit card company revealed two further airline transactions that had not yet been posted onto my statement.
Within one day, 3 separate airline tickets had been bought on my card. Fortunately, the bank had noticed something suspicious and put a stop on my card. Of course, i’m fully covered by my credit card company. However, I can’t help thinking now whether my stolen details were a result of something careless I have done or whether it was a problem over which I had no control (i.e. insider fraud). Still, irrespective of which it is, I will be ever more vigilant when my replacement card arrives.
Strange Acquisitions
There are some acquisitions within the Identity space that come as no surprise. For example, when Sun acquired Vaau as a knee-jerk reaction to Oracle’s acquisition of BridgeStream (sorry, I had to get that jibe in), it came as no surprise. Equally, as the other independent role management vendors get bought up, that will be expected also. The only slight surprises may come from who buys who.
However, every now and again a complete left field acquisition shocks the industry. This occurred at RSA with Hitachi announcing it had bought a major share in M-Tech. Everyone seems to be talking about it. Burton, Digital ID World, Dave Kearns, Bruce Schneier etc.
What next, Amstrad buying Courion? 
Social Networks galore!!
I’m sure like me you are constantly getting invitations to the myriad of different social networking/web 2.0 sites out there. Personally, I have accounts on:
Facebook
LinkedIn
MySpace
Naymz
Plaxo
Del.icio.us
ClaimID
Technorati
and i’m sure there are others……
I don’t have the time to keep all of these up to date, never mind joining any more.
Looking specifically at the number of social networks out there, surely there has to be a point when these must start to consolidate their functionality. I can see it has already starting happening to a certain extent.
LinkedIn is designed for business relationships. Plaxo extends that so you can categorise people as either business or friends. Similarly, LinkedIn allows you to write an endorsement for someone, whereas, Naymz whole philosophy is based on reputation and references.
I don’t see how all of these sites can be sustainable as we move further into 2008.
OpenID in the Enterprise
As always, I am constantly talking to new people about Identity Management in the Enterprise. We always talk about the usual topics; provisioning, authentication, authorisation, audit etc. More and more recently I have been asked by people what my thoughts are on OpenID. Previously, these types of discussions were limited to the hardcore ID people such as the Identity Gang. But now, I seem to be getting asked the question more and more by people within the Enterprise. A number of times it has been people who don’t really understand what OpenID is, other than its one of the ‘new terms’. Others are more informed.
So what do I think of OpenID and its application in the Enterprise……
I think OpenID so far has done a lot for pushing forward Identity 2.0 and has seen a reasonable adoption within the ’social internet’ (blogs, wikis etc). There is definately a good use case for its application there. However, organisations have not yet really started to adopt this technology. There have been a couple, including Sun who announced an internal OpenID server for employees last year. However, in the main its uptake has been extremely limited.
I have no doubt that eventually OpenID will start to find a place within the Enterprise. However, at the moment, I really can’t see its application within the arena. The problem that I see Enterprises facing when looking at OpenID is the lack of trust in the Identity provider. Anyone can set up an OpenID server (indeed this blog is one) and use it to sign-on to OpenID enabled sites. However, where is the trust that I am indeed Paul Toal when I hit the target site. For enterprise, cross domain single sign-on, federation based on SAML (and the other standards) provides that pre-defined trust agreement. Clearly, what it lacks (and OpenID goes towards addressing) is the user consent.
As long as the trust issue is outstanding I don’t see why Enterprises would adopt OpenID for any transactions of any value (financial or otherwise). There is a big difference from posting a comment on a blog that I have signed onto with my OpenID Identity, to performing a business transaction with an Enterprise partner using my self-asserted OpenID.
The answer to this might be to ensure Enterprises host the OpenID server so that their partners can be assured of trust. However, isn’t that what standard federation today gives us. Do we actually want our employees deciding whether, as an employee their Identity information can or can’t be shared with other business partners?
Maybe I am missing the point (feel free to correct me), but at the moment, I just don’t see where OpenID fits within the Enterprise.
Technorati Tags: OpenID, federation, enterprise, trust
Media Influence on Persona
Recently there has been a lot of coverage in the media on missing Madeleine McCann.
Initially, there was a massive international manhunt and lots of coverage on all types of media (newspapers, television, radio, internet etc). Everyone was backing the McCanns in the search for their daughter, including a number of famous celebrities such as David Beckham and J.K. Rowling.
However, over the past couple of weeks the Portugese police have turned their attention to the McCanns and have made them suspects in the disappearance of their daughter.
My aim here isn’t to discuss the innocence or guilt of Madeleine’s parents. I’m sure there will be plenty of focus on this in the upcoming weeks and months.
My focus is on the McCanns persona. Within the Identity world there is a lot of talk about a person’s persona and how different personas are portrayed to different groups of people. For example, my work persona is quite different from my home persona. However, the recent events with the McCanns goes to prove that we only have so much control over our persona and how we are portrayed to different people. Alot of this influence comes from the media. In the past week I have seen how the British people have slowly started turning against Madeleine’s parents through no direct actions of the McCanns. It is all based on speculation in the media.
So, whilst the McCanns have not changed their public facing persona towards the world, the influence of the media means that people are viewing them very differently than before.
The McCanns are by no means the only example of this. There are examples (mainly celebrities) of this happening time and time again.
It reminds me of the James Bond film, Tomorrow Never Dies, where the media mogul is trying to control people’s reaction by controlling the information that is provided to them through the media.
I do find it quite disconcerting that the media can have such power of people’s lives.
Powered by ScribeFire.
Its official (finally)
Finally, after much speculation and a couple of leaks on the Internet, Oracle has finally announced that they have bought Bridgestream for their Enterprise Role Management capabilities. Despite Mel’s thoughts that Oracle has paid over the odds for them, I think this is a very good announcement for Oracle.
This acquisition stands to further enhance Oracle’s already comprehensive offering in the Identity and Access Management space and put them in an even stronger position to offer a complete solution.
I am currently in San Francisco (more on that later) finding out more details about both the Bharosa and Bridgestream acquisitions and hopefully will find out the strategy for these two products moving forward.
From a personal point of view, I must say that Oracle is certainly a good place to be working right now around IAM, what with these recent acquisitions and their strategy and vision.
Powered by ScribeFire.
-
Recent
- Now on Twitter
- What makes a good presentation
- Authorisation comes full circle
- New swapping site…worth a look
- DNA Database – Finally some sense
- Is the Olympics necessary?
- My First YouTube Post
- Is ALL water a wishing well?
- Date of Birth on Facebook
- Identity Fraud has finally happened to me
- iPod Graveyard
- Strange Acquisitions
-
Links
- Here, Now
- cn=Directory Manager
- JasonKolb.com
- Marc’s Voice
- Identity Management
- Andre Durand – Federated Identity
- Andy Harjanto’s InfoCard WebLog
- BizTalk + WF Visionary Blog
- Ceci n’est pas un Bob
- Dave Kearns Feed
- Dick Hardt – Blame Canada
- Digital ID World Editors Corner
- Doc Searls’ IT Garage -
- Eric Norlin’s Weblog
- Gil’s Blog
- Identity 2.0
- Identity mangement news
- Identity Woman
- IdM News
- iTickr
- Johannes Ernst’s Blog
- Kim Cameron’s Identity Weblog
- Phil Windley’s Technometria
- Ping Identity Blog
- Sara Gates – From Here to Identity
- Schneier on Security
- Scott C. Lemon: Digital Identity Management
- Sxip Identity – Archives
- The Virtual Quill
- Voidstar: blog
- Wired News
- CNET News.com – Threats
- SecurityFocus News
- The Register
- Wired News: Technology
- Wired News: Top Stories
-
Archives
- July 2009 (1)
- May 2009 (2)
- February 2009 (1)
- December 2008 (1)
- October 2008 (2)
- August 2008 (3)
- June 2008 (1)
- April 2008 (5)
- November 2007 (1)
- September 2007 (5)
- August 2007 (1)
- July 2007 (5)
-
Categories
-
RSS
Entries RSS
Comments RSS
