No Internet!!

For anyone out there who reads my blog, you will have noticed that I have been very quiet of late.

This is mainly due to my new job that I started last week. It has been a bit manic getting settled in.

However, I hope to catch up with everything over the next week or so and then, hopefully, I will be back to my usual vocal self.

powered by performancing firefox

Advertisements

Isn’t the English language strange

My oldest daughter has just started her 2nd year at primary school. During the past year I have been trying to help her learn to read. Like many other parents I have sat there, usually over breakfast, trying to help her master those tricky words. As is the common approach, when we reach a word she doesn’t know, we try and break it down into syllables, sound each syllable and then put them together. I find that whilst this works fine for some words there seems to be more and more words that this approach doesn’t work for.

Its made me realise how completely illogical a lot of written English is! For lots of words there is no pattern to being able to learn them, it is just a case of ‘knowing’ how it is spelt, or how a certain word should be pronounced. I could list numerous words that demonstrate this effectively but to pick a fairly simple one from my niece’s spelling list:

circle

How do you teach a child the logic behind spelling circle (or even reading it). I don’t even think the problem is just limited to children. Even today (stopping myself going onto Google now to find out the answer) I can never remember whether organisation or organization is the English spelling as opposed to the American.

I think in some areas Americans are closer to a more sensible approach than the English are. Take comparable words:

colour translates to color
theatre translates to theater
analogue translates to analog

The above American spellings remove what I see as the unnecessary letters and makes the words more phonetic.

There has been talk for some time (I’m not sure how far it has progressed) about teaching phonetic spellings in our schools and making words appear more as they sound. I see this as a major leap forward for the English education system. In my opinion, something needs to be done to update the language that is used by so many people worldwide.

As a side, my 9 year old niece can now finally spell circle. Next on the list……circumference (good luck)!!

Technorati Tags: , , ,

Opinity, interesting registration process

There has been a lot of talk recently from a number of people including Julian Bond and Phil Windley about Opinity.

I decided to try and give it a go. After all, I already have a ClaimID profile so why not have another profile aggregator 🙂

I haven’t yet had chance to look at the product fully yet, however, the first thing that struck me was the registration process. Opinity supports both OpenID and CardSpace as authentication mechanisms. Great, I thought! A service provider who is really embracing the concept of user-centric Identity! I have just finished installing the “OpenID comments for WordPress” plugin so now have my own OpenID server as well as the several other free OpenID accounts I have from signed up for in the earlier days of the OpenID spec.

I eagerly entered my OpenID ID and was promptly presented (after accepting to the trust Opinity at my own OpenID server) with a screen asking me for a username and password! Why would I possibly need to enter a password when the whole point of OpenID is that I shouldn’t need to individually register at every “OpenID enabled” site that I visit.

I didn’t have the same experience when I registered for a ClaimID account. Upon entering my OpenID I was asked to enter a username but no password as expected.

I would be interested to understand why I need to give Opinity a password. Is it just an oversight on their part?

Blog Customization

For anybody who reads my blog through a newsreader such as GreatNews (the one I use) you probably won’t have noticed that I have been playing about with the theme on my blog.

Over the next few weeks I hope to add a number of plugins as well as getting the theme to a point I am happy with.

I would welcome any thoughts or comments that you have about the colours, layout or even the content 🙂

Remote thoughs about Digital ID World 2006

I have been really disappointed this year with not being able to make it to Digital ID World in Santa Clara due to my impending job move . Not only have I missed some of the great debates that have taken place, but I have also missed the oppourtunity to meet, face-to-face so many of the people that I talk to (through channels such as the Identity Gang) the name of “Identity”.

I have been following a number of blogs including Phil Windley’s blog about the event with great interest and once I manage to get through all the related posts, I will post my thoughts here.

OpenSSO and the role of web based SSO

P.T.Ong recently posted his thoughts on the newly announced released of OpenSSO (formerly Sun Java Access Manager which they have now open-sourced).

In his post he raises the point:

“The biggest challenge in rolling out these systems is that you had to
integrate it to the backend servers, resulting in very slow deployment
projects”

I have been deploying web based access control systems for a number of years now and have a couple of thoughts on this.

Firstly, I think it is a mistake for people to see the web based access control (WBAC) products from the traditional vendors(Netegrity (now CA), Oblix (now Oracle), Sun, IBM etc etc) as purely SSO products. Which SSO is one of the features, it is not the only purpose of these products. As well as providing an element of SSO they can also handle the authorisation for access to the applications. I won’t go on to list all the other benefits that they provide (such as centralised management and centralised auditing) as i’m sure you are aware of their capabilities. One of the problems with touting a product as an SSO product is that customers think that you install it and it magically provides SSO to everything under the sun with not changes necessary at their end. With WBAC products this just isn’t the case. As P.T. Ong eludes to there is an element of integration work which usually must be undertaken, unless you application happens to already support external authentication mechanisms.

The second issue I have when people are deploying WBAC systems is that they quite often install the software and then try to retro-fit every web based application under the sun into this new product. Whilst this is an admirable idea, the effort normally required can be quite immense. You also find that the customer will try to integrate an application that may be used by 2 or 3 people in the organization or try to integrate an application that is due to be replaced in x months. By adopting a pragmatic approach, a successful deployment can be achieved. Being realistic, looking at integrating your key applications is a good idea. Then, not only are you providing benefit for those key applications but you now have a central security platform that can be used by the developers of the new applications. You can also ensure that any new web based application that are bought off the shelf are compatible and integrate with your new security infrastructure.

Deploying a WBAC is about building a central security framework that can be used across the organisation for not only SSO (i.e authentication) but also for authorisation and auditing. If you bear this in mind, your deployment will be much quicker and more successful.

Technorati Tags: , , , , , , , ,

DON’T FORGET MY BLOG HAS NOW MOVED TO HTTP://BLOG.PDTOAL.COM

OpenSSO and the role of web based SSO

P.T.Ong recently posted his thoughts on the newly announced released of OpenSSO (formerly Sun Java Access Manager which they have now open-sourced).

In his post he raises the point:

“The biggest challenge in rolling out these systems is that you had to
integrate it to the backend servers, resulting in very slow deployment
projects”

I have been deploying web based access control systems for a number of years now and have a couple of thoughts on this.

Firstly, I think it is a mistake for people to see the web based access control (WBAC) products from the traditional vendors(Netegrity (now CA), Oblix (now Oracle), Sun, IBM etc etc) as purely SSO products. Which SSO is one of the features, it is not the only purpose of these products. As well as providing an element of SSO they can also handle the authorisation for access to the applications. I won’t go on to list all the other benefits that they provide (such as centralised management and centralised auditing) as i’m sure you are aware of their capabilities. One of the problems with touting a product as an SSO product is that customers think that you install it and it magically provides SSO to everything under the sun with not changes necessary at their end. With WBAC products this just isn’t the case. As P.T. Ong eludes to there is an element of integration work which usually must be undertaken, unless you application happens to already support external authentication mechanisms.

The second issue I have when people are deploying WBAC systems is that they quite often install the software and then try to retro-fit every web based application under the sun into this new product. Whilst this is an admirable idea, the effort normally required can be quite immense. You also find that the customer will try to integrate an application that may be used by 2 or 3 people in the organization or try to integrate an application that is due to be replaced in x months. By adopting a pragmatic approach, a successful deployment can be achieved. Being realistic, looking at integrating your key applications is a good idea. Then, not only are you providing benefit for those key applications but you now have a central security platform that can be used by the developers of the new applications. You can also ensure that any new web based application that are bought off the shelf are compatible and integrate with your new security infrastructure.

Deploying a WBAC is about building a central security framework that can be used across the organisation for not only SSO (i.e authentication) but also for authorisation and auditing. If you bear this in mind, your deployment will be much quicker and more successful.

Technorati Tags: , , , , , , , ,

Linking Physical and Logical Security

There is more and more rumblings within the industry of late about the convergence of physical and logical security within the enterprise. Nishant mentions it here, pointing to a piece by one of his colleagues, Anshu Sharma, here.

As yet, I haven’t seem a good definition of exactly what people refer to when they talk about physical to logical security. In my mind there are a number of different potential meanings.

1) A Single Authenticator with a Single Authentication Method
With this method, the most simple method of convergence is shown. Here, the user is given a single ‘token’ to use for authentication. This may be in the form of a  proxy authentication (see Phil Beckers article here on proxy authenticators) e.g. smartcard, RFID token or magnetic strip card etc. However, it might also be in the form of a actual identifier such as a biometric, e.g. fingerprint, retina etc.

Using this method, the user would use their authenticator to access the building using the physical access control (swipe card reader, HID reader etc) and then they would also use the same authenticator to sign-on to their PC. There is no connection between the two systems other than the fact that they use the same authenticator.

2) A Single Authenticator with Multiple Authentication Methods
This method is similar in concept to the first idea above. However, in this scenario the user may have a single authenticator but use different methods of authenticating with it. For example, with a proxy authenticator, the user may have a single card which has a smartchip on it but also HID built into it. They may use the HID to access the building but then put the card into a smartcard reader on their PC and use the information on the smartchip to log into the network.

3) Multiple Linked Authentication Methods
This method extends the above two methods by linking together the two instances of authentication instead of treating them as two separate entities. Using this approach, the user would use their physical authenticator access the building and pass the physical security. The user would then use a second authenticator to log onto the network. However, the software on the PC would check to see if the user had passed physical authentication before allowing them onto the network. If the user hasn’t ‘swiped’ through the door, they will not be allowed to log on. Similarly, if a user has ‘swiped’ through the door, they might not be allowed to authenticate a remote VPN connection to the network. The software can be tuned to ensure that you have not only ‘swiped’ into the building but that you have also ‘swiped’ into the correct part of a building (think about shared office buildings).

4) Single Linked Authentication Methods
This variation on the previous method uses a single authenticator
for both the physical and logical controls instead of separate
authenticators. Therefore, the user would authenticate to the physical
security using an authenticator such as the chip on a smartcard. The
user would then use the same chip on the smartcard to access their PC
and log onto the network.

To me, when we are talking about converging physical and logical the only real benefit to security comes when you are using methods 3 or 4 above. Depending on your scenario you may want to try and move towards a single method of authentication. Alternatively, you may (and probably will) want to look at using multiple levels of authentication. Think about a typical office environment. You will probably have different parts of the building that are more sensitive than others. Therefore, does it make sense that a user should use different, more trusted levels of authentication to access the sensitive parts of the building. What about the PCs in those sensitive areas? If you require biometric to access the sensitive area at the point of entry, doesn’t it make sense that you might also expect a higher level of trust when accessing computers within that sensitive area.

There are some very interesting alliances emerging between companies trying to bridge the gap between physical and logical security. I think that this area will gain popularity quickly as people start to realise the true benefits you can receive from the combined approach.

DON’T FORGET MY BLOG HAS NOW MOVED TO HTTP://BLOG.PDTOAL.COM

Linking Physical and Logical Security

There is more and more rumblings within the industry of late about the convergence of physical and logical security within the enterprise. Nishant mentions it here, pointing to a piece by one of his colleagues, Anshu Sharma, here.

As yet, I haven’t seem a good definition of exactly what people refer to when they talk about physical to logical security. In my mind there are a number of different potential meanings.

1) A Single Authenticator with a Single Authentication Method
With this method, the most simple method of convergence is shown. Here, the user is given a single ‘token’ to use for authentication. This may be in the form of a  proxy authentication (see Phil Beckers article here on proxy authenticators) e.g. smartcard, RFID token or magnetic strip card etc. However, it might also be in the form of a actual identifier such as a biometric, e.g. fingerprint, retina etc.

Using this method, the user would use their authenticator to access the building using the physical access control (swipe card reader, HID reader etc) and then they would also use the same authenticator to sign-on to their PC. There is no connection between the two systems other than the fact that they use the same authenticator.

2) A Single Authenticator with Multiple Authentication Methods
This method is similar in concept to the first idea above. However, in this scenario the user may have a single authenticator but use different methods of authenticating with it. For example, with a proxy authenticator, the user may have a single card which has a smartchip on it but also HID built into it. They may use the HID to access the building but then put the card into a smartcard reader on their PC and use the information on the smartchip to log into the network.

3) Multiple Linked Authentication Methods
This method extends the above two methods by linking together the two instances of authentication instead of treating them as two separate entities. Using this approach, the user would use their physical authenticator access the building and pass the physical security. The user would then use a second authenticator to log onto the network. However, the software on the PC would check to see if the user had passed physical authentication before allowing them onto the network. If the user hasn’t ‘swiped’ through the door, they will not be allowed to log on. Similarly, if a user has ‘swiped’ through the door, they might not be allowed to authenticate a remote VPN connection to the network. The software can be tuned to ensure that you have not only ‘swiped’ into the building but that you have also ‘swiped’ into the correct part of a building (think about shared office buildings).

4) Single Linked Authentication Methods
This variation on the previous method uses a single authenticator
for both the physical and logical controls instead of separate
authenticators. Therefore, the user would authenticate to the physical
security using an authenticator such as the chip on a smartcard. The
user would then use the same chip on the smartcard to access their PC
and log onto the network.

To me, when we are talking about converging physical and logical the only real benefit to security comes when you are using methods 3 or 4 above. Depending on your scenario you may want to try and move towards a single method of authentication. Alternatively, you may (and probably will) want to look at using multiple levels of authentication. Think about a typical office environment. You will probably have different parts of the building that are more sensitive than others. Therefore, does it make sense that a user should use different, more trusted levels of authentication to access the sensitive parts of the building. What about the PCs in those sensitive areas? If you require biometric to access the sensitive area at the point of entry, doesn’t it make sense that you might also expect a higher level of trust when accessing computers within that sensitive area.

There are some very interesting alliances emerging between companies trying to bridge the gap between physical and logical security. I think that this area will gain popularity quickly as people start to realise the true benefits you can receive from the combined approach.