One Piece of Advice

Yesterday, while talking to a security expert, he asked me the question:

“If you only had one piece of advice to give to a brand new security manager who knew nothing, what would it be?”

Other than questioning why the security manager got the job in the first place, I briefly thought about this and responded with:

“Educate your users!”

My rationale for this response is the well known fact that users are the weakest link in the security chain. This has been widely accepted for a long time now. Anyone who has read Kevin Mitnick’s two books The Art of Deception and The Art of Intrusion (I have read both) will certainly agree with this comment.

At the end of the day, it doesn’t matter how much technology you throw at a problem, if you don’t have the educated people both administering it and using it, you have got very shaky foundations.

Paid Advertising for Blogging

I don’t know what Rohan Pinto is talking about in his recent post about commercialized blogging!

Looking up at the SUN this morning, I was trying to decide what to put in my WORDPRESS BLOG today when an idea popped straight into my mind. I wasn’t sure if it was a good idea so I gave my colleague a PING to find out his opinion. He wasn’t sure either, so I searched on the ORACLE that is GOOGLE. After trawling the web for hours I decided to go and ask my wife. When I saw here I thought she was looking RADIANT. LOGIC told me I ought to tell her but I decided against it. Instead I thought I would go down the pub, so I put on my RED HAT and off I went, eating my APPLE along the way!

I would never dream of it blogging for commercial gain.

Who do I send my invoice to??

🙂

Identity Management, Auditing and Role Management

Interesting week in the trenches

Mark Mac Auley posted earlier this week about his jetsetting week meeting people to talk about identity management.

One point that he does make is:

“The 4 PM blew their hair back to the point that I stayed over another night to meet with an even broader audience to pitch the notion of control to. Funny thing is, they were far more interested in audit capabilities since that was the immediate need”

I couldn’t agree more! Recently, nearly all of the customers that I go to see about Identity Management talk about auditability being one of their major pain points. In alot of cases, this is due to compliance issues (SOX, 7799 etc). However, even for companies who don’t have direct accountability to one of the many standards, there is still a necessity for traceability and audit.

Like Mark also says:

“What I learned was that in a project of this size, magnitude, and importance (people will die if it doesn’t go well) is that knowing what is happening in real time on the network by who is on the network and what they are accessing (whether they are supposed to or not) will drive the best possible policy development, and ultimately policy enforcement which is the end goal (I think) of implementing an identity management solution.”

Not only will it drive policy development as Mark has stated, but by analysing real time access, this information can also be used to drive role definition and role management, something that Nishant Kaushik has been discussing in his posts on role management (part1, part2 and part3).

I don’t usually do Politics but………………..Asylum Seekers and Crime

Following on from my previous post about benefits freeloaders, my other big gripe with the government is laws concerning asylum seekers.

Aside from the fact that I believe we are way too “Immigrant Friendly” in this country there is one particular law which I find unbelievable. As it currently stands, if an asylum seeker commits a crime in this country we will NOT deport them back to their own country if they are to face violence or are in fear of their lives through persecution.

Now, I understand why we wouldn’t send back a normal failed asylum seeker back to their country of origin if they were to face persecution but a convicted criminal, surely not. I think they the act of committing a crime and being found guilty of that crime should waiver any protection that our laws provide them from deportation.

This may seem a little harsh but I firmly believe that it would not only cut the level of crime, but also encourage asylum seekers to respect our laws and society and live by our rules.

I don’t usually do Politics but………………..Asylum Seekers and Crime

Following on from my previous post about benefits freeloaders, my other big gripe with the government is laws concerning asylum seekers.

Aside from the fact that I believe we are way too “Immigrant Friendly” in this country there is one particular law which I find unbelievable. As it currently stands, if an asylum seeker commits a crime in this country we will NOT deport them back to their own country if they are to face violence or are in fear of their lives through persecution.

Now, I understand why we wouldn’t send back a normal failed asylum seeker back to their country of origin if they were to face persecution but a convicted criminal, surely not. I think they the act of committing a crime and being found guilty of that crime should waiver any protection that our laws provide them from deportation.

This may seem a little harsh but I firmly believe that it would not only cut the level of crime, but also encourage asylum seekers to respect our laws and society and live by our rules.

I don’t usually do politics but………………..State Benefits

Politics in the traditional sense has never really interested me. Like a lot of other people, I exercise my right to vote (although the numbers of voters seem to be dwindling each year). However, beyond my vote, I, like all other tax payers are at the mercy of whatever hair-brain ideas the government has on how best to screw more money out of me (and other working class people) and give it to either immigrants or dodgy benefits claimants.

Don’t get me wrong, I have no problem with people claiming benefits who REALLY need the money for genuine reasons (e.g. illness, temporary redundancy etc), but it annoys me when we hear huge figures touted around about the extent of benefit fraud. A prime example is couples who have a gazillion kids, are too lazy to work and as a result live off the huge amount of benefit they are given from the state. THEN they have the audacity to complain to their local council that their council house is too small to house their family. These people are a drain on society. The problem is compounded by the great benefits system we seem to have in the UK. We don’t seem to want to encourage people to return to work.

I think there is a really simple solution to this problem……..cap certain benefits!

The government should introduce a law which states that the state will provide benefits (child benefit, tax credits etc) for up to 3 children. After that, couples are still free to have as many children as they want but they get no more state benefit. Therefore, in effect, you must be able to support your own children if you decide to have a large family.

That way it would limit the amount of money we are giving these people.

End of rant part 1!!!!!

I don’t usually do politics but………………..State Benefits

Politics in the traditional sense has never really interested me. Like a lot of other people, I exercise my right to vote (although the numbers of voters seem to be dwindling each year). However, beyond my vote, I, like all other tax payers are at the mercy of whatever hair-brain ideas the government has on how best to screw more money out of me (and other working class people) and give it to either immigrants or dodgy benefits claimants.

Don’t get me wrong, I have no problem with people claiming benefits who REALLY need the money for genuine reasons (e.g. illness, temporary redundancy etc), but it annoys me when we hear huge figures touted around about the extent of benefit fraud. A prime example is couples who have a gazillion kids, are too lazy to work and as a result live off the huge amount of benefit they are given from the state. THEN they have the audacity to complain to their local council that their council house is too small to house their family. These people are a drain on society. The problem is compounded by the great benefits system we seem to have in the UK. We don’t seem to want to encourage people to return to work.

I think there is a really simple solution to this problem……..cap certain benefits!

The government should introduce a law which states that the state will provide benefits (child benefit, tax credits etc) for up to 3 children. After that, couples are still free to have as many children as they want but they get no more state benefit. Therefore, in effect, you must be able to support your own children if you decide to have a large family.

That way it would limit the amount of money we are giving these people.

End of rant part 1!!!!!

The link between i-cards and i-names

As I have mentioned before, there has been a lot of discussion of late within the Identity Gang around “What is user-centric identity” and “Where does it fit into the enterprise”. One of the battles I have had in my own mind is understanding where all the different technologies  protocols, frameworks etc (Card Space, XRI, OpenID, LID, YADIS et al) fit into the equation.

It seems that I am not the only one. Drummond Reed has recently being fighting with exactly the same problem. Following on the from the Berkman Identity Mashup he posted a very enlightening blog explaining his understanding of the difference between i-cards and i-names. There are some really good examples in here.

Good post Drummond!

IT Terminology

My colleague Paul Squires posted a comment about Identity Provider vs Identity Verifiers which Johannes Ernst has commented on here.

Whilst I agree with the point that both Paul and Johannes have raised, my concern is the different terminology used for the same thing. To quote Johannes:

“However, the same (or even better) trustworthiness can be accomplished by the “verifier” model (using Paul’s term, at NetMesh we use the term “third-party confirmation”)”

This seems to be the problem with a number of terms used not just within the identity space (although it seems particularly prevalent there) but in IT in general.

Here at the Identity Gang we are working on a Lexicon of terms and definitions to try and resolve this. However, at the moment it seems that semantics are holding up the progression with people interpreting the same term in 101 different ways. While this is happening even within the discussions among the industry experts, how do we expect the average user to understand what we are trying to say.

The Meta-Identity System

Bob Blakley (IBM)  gave a very interesting presentation a Catalyst on what he calls “The Meta-Identity System“.

The basic idea of this is that your information is not given away as it is using a standard Identity Provider. Instead, the user’s privacy is maintained by only giving out meta-data in response to questions from the relying party. The example quoted by Bob is:

“It can do this simply by changing what it puts into the claims it hands out to Relying Parties. Instead of answering a Relying Party’s query “How old is Bob?” with the claim “Bob is 45”, it can answer “How old is Bob?” with the claim “Bob is over 18”.

I think that this is a great concept. It not only prevents the identity providers from giving away your information (their assets) but it stops the relying parties taking that data and either:

1) Storing the information and therefore creating their own identity silos.
2) Storing the information and then passing it on to other parties without the users knowledge.

I hope this idea gains traction.

Well done Bob!