Tuesday, April 29

Digital Forensic Evidence Collector

I want to get me one of these. Microsoft provides law enforcement with a digital forensic evidence collector in the form of a USB thumb drive. And it's free. Maybe I'm out of touch, but I haven't heard of this before. Pretty cool.

Tuesday, April 22

Low Tech Breach

Probably could've been avoided with simple old manual deprovisioning. Or, even more likely – maybe they were using a shared account to access the system that held customer data.

Oh where
Oh where
Has my private data gone

And of course, this from a few days ago in Oklahoma.

Sometimes I think we assume that everyone in IT is reading the same books, articles and blogs as us. And they're not. Not even close. Whatever they're reading isn't about work.

Saturday, April 19

Wow, what an endorsement

Thanks Trey. Remind me to put you on the payroll.

User Centricity in the Enterprise (Cont.)

I've blogged on this before. But I was oh so young and naive back in December of 07.

OK, I'm not 100% convinced yet, but I'm beginning to see the light. I think part of the problem is that I have an internal tendency to want to understand things in mathematical terms and what I'm finding is that I almost need to think of this issue through an artist's lens. And that's a tough metaphor to make because I know it could be misunderstood - I wasn't trying to make the issue black & white or say that there would never be a case for x, y or z. But as a philosophy, I was thinking that user-centric identity is about individual control which seems at odds with the goals of enterprise security. Just because the technology could be used to enforce control on both sides doesn't mean the philosophy of a user-centric approach works within the enterprise walls. I was able to fit B2B transactions into the equation (like an insurance rep interacting with multiple carriers). But, that again isn't really contained within the walls of an enterprise. I was trying to build a chart of some kind in my mind to map out the scenarios.

But then I had a few good discussions with folks like Kaliya Hamlin, Dale Olds, Michael Barrett of PayPal, Andrew Jaquith of Yankee Group, and others. And then I read this (thanks Pamela) and this (thanks Dale) and I watched the video from Brainshare that Dale linked to.

I'm not quite ready to start professing the faith of user-centric in the enterprise and I certainly haven't mapped it out in my head, but I'm beginning to recognize that I'm on the dark side of this and that Kim Cameron, Kaliya, Dale and Pamela are in the light.

Friday, April 18

Extending the ROI on Provisioning

Provisioning has typically been about increased efficiency and reduced cost. But, it's time to extend the ROI into security and compliance as well. I've had a number of conversations over the past two weeks with provisioning vendors and industry consultants. They confirmed that the organizations they work with are asking for this. The same organizations that deploy provisioning solutions are confronted with compliance tasks and demand for improved security. They want the identity infrastructure that enables work flow efficiency to provide the compliance benefits as well. Provisioning vendors have made progress in terms of logging system activity, but there's no way for them to prevent authorized administrators from leveraging direct access to the directory to get around the work flow. Today's niche identity and security vendors have improved on this by providing security and audit-ability on the complete set of activity taking place in the identity infrastructure. I'm in the process of writing an article on this for one of the security trade mags. I'm interested in your feedback on this topic.

Would you like to be quoted? Would you like to be mentioned as a consultant that understands this proposition? Would you like your vendor's technology to be included? Let me know or leave a comment.

Thursday, April 17

Bulletproof Identity Process

(file under stupid humor)

I forgot to mention, there was one company in San Francisco last week who really knows how to implement a bulletproof identity authentication process. But, they weren't on the expo floor. They weren't even at the Moscone.

This is an actual photo from the back of my hotel room door. They really get it. Just call "operator" for assistance.

Overheard at the RSA Conference

A few more of my favorite paraphrased quotes from RSA and then I'll try to stop blogging about what I did last week...

In the Cryptographer's panel, Whitfield Diffie, Vice President and Fellow Chief Security Officer, Sun Microsystems, said that within 10 years he believes that technology will create the genetic offspring of two women thereby rendering men a clumsy and inefficient means of reproduction. I think he then said that due to genetic engineering, it won't be humans having this discussion in another 10 years. I look forward to reviewing the video to see if I heard all of that correct. He got some good laughs, but I think he was serious.

The BT/CNBC Risk Resilience webcast was one of the more entertaining sessions for me. Michelle Dennedy, Chief Privacy Officer for Sun Microsystems, said that Sun employees' avatars in the game Second Life must adhere to a Sun-approved dress code. I believe she said that Sun wasn't trying to interfere with how employees play games on off-hours while at home, but I can't imagine Sun has a policy that encourages playing games at work? As a CPO, she has a tough job, but I thought Dennedy did a good job at being a likable bad cop to Schneir's good cop.

In the same session, Bruce Schneir said that we're currently experiencing the biggest generation gap since Rock n Roll. He reminded me of a quote that I heard attributed to Doc Searlsemail is how old people communicate. Schneir explained that young people are growing up with their lives exposed on YouTube, MySpace and Facebook. They're in constant communication via SMS and Twitter. They won't be wounded by privacy breaches the way "old people" are afraid. He reminded us what the old people said about Rock n Roll. It will lead to drugs, sex, wildness and the end of marriage. And yeah, they pretty much got it right. But we survived and went on. He believes that our privacy issues will not be privacy issues for the next generation. He summed it up by saying that in every generation gap, the younger generation wins because the older generation dies. Entertaining and poignant. Thanks Bruce.

In Thomas Kurian's keynote, he talked about protecting data across the network even from the DBA. He joked that DBAs should be the highest paid people in the world since they have direct access to change salary information in the database. Technologies exist to prevent that access while allowing the DBAs to continue doing their job. He described the need for transparent encryption so that applications won't need to be re-written. He then talked about the absolute need for strong identity management solutions and emphasized the fact that a comprehensive identity solution must include an audit of identity transactions. (ding ding) I almost stood up and said "yes" but luckily I stayed quietly in my seat. That hit home for me because it's what we do at NetVision and as I walked the expo floor and spoke with Identity solution vendors, nobody could audit transactions outside of what their own system does. I was glad to hear it emphasized on the big stage.

Last one - in the track on Consolidating Logical and Physical Access Control, John Thielens and Michael Hejtmanek explained that part of the friction holding back convergence has been that the physical security vendors haven't been traditionally trained in enterprise IT architecture. More often, they resemble cable installers who may not know how to join a workstation to a domain. The big take-away for me from that session is that there is hope. PAC and LAC are coming together. Training is happening and vendors on both sides recognize the urgency. So, what I saw a year or two ago (which was discouraging) sounds like it's getting closer to reality for widespread adoption. I don't know how companies are dealing with the fact that they're in shared or leased buildings, but at least progress is being made.

OK, I think that gets all the highlights out of my head.

UPDATE: Apparently, that quote wasn't from Doc Searls. Sorry Yogi. um, Doc. Unfortunately, I'm fairly confident it was someone on stage that passed the quote as yours - can't recall who though.

Wednesday, April 16

Proliferation of Multiple LDAPs

I was questioned today by someone who read my post on Synchronization versus Virtualization, which is topical given the recent blog debates by many of the big names in identity blogging on whether metadirectories are dead. Back then, I was trying to convince the world that there are cases that require a virtual approach. Now, the tables seem to have turned. I've stayed quiet on that debate, but I believe there's still a place for each method. Honestly, I'm not sure why there's such intensity behind that debate – they're just tools. My idea for Enterprise Identity Services Architecture included a layer for Identity Data Services, which is analogous to the proposed Identity Hub or Bus. It has a box for both synchronization and virtualization because there are use cases for both types of technologies often within the same infrastructure.

End of digression.

The question proposed was about how large enterprises (hundreds of thousands of users) are addressing the proliferation of LDAP directories in their environments. The person asking comes from a well-known and reputable company. The first thing I thought is here's the exact reason why we still need metadirectories. Many companies still haven't dealt with the user-store sprawl. In a general sense, I think metadirectory technologies can help get you to a place where you refine and consolidate your infrastructure and can then leverage virtual directory technologies where appropriate for applications that need access to data in multiple stores and/or multiple formats.

What the questioner was really looking for is research that discusses how other companies have handled the challenge. Here's my answer:

My recommendation is to find an experienced group of consultants who have tried various approaches with different clients. There are a number of them out there and I'm happy to give recommendations privately based on geography, technology, comfort-level with small vs. large companies, etc.. Whether you engage them contractually or enter into discussions via user groups, trade shows, etc., real world experience is priceless. Anybody that pushes one particular approach to this problem is probably biased (either by product or by their own limited experience). My experience suggests that most scenarios require a unique approach based on business goals, actual technologies, future plans, etc.. But you probably need someone to spend some time understanding your own scenario before recommending an approach.

Some questions you'll want to explore:

  • Which data stores have overlapping data and which are unique?
  • Does it make sense to consolidate?
  • Is the data mappable across systems? Do they share unique identifiers?
  • Where can multiple applications share a single store?
  • Where do given applications require access to data in multiple stores?
  • What applications or uses are coming in the future?
  • Which stores are used for critical apps? What is the up time demand?
  • In what format is the data stored?
The answers to these questions will drive your architectural decisions and help you prioritize next steps.

If you'd like to comment and provide a pointer to field research, whitepapers, or contact info for how you can help with this situation, feel free.

IT Security Risk = Lost Business Opps

In Art Coviello's key note last week, he reported that 80% of executives surveyed have avoided real opportunities for business advancement because of IT security risk.

It was probably the most powerful statement I heard all week. It means that enterprise IT security is falling short in a critical way.

When I present on the business drivers of a security solution, I always include three areas: risk reduction, enhanced ability to respond to audits, and creation of business opportunities. The first two generally resonate pretty well but the last one usually gets blank stares and I call myself an optimist and move on. So, I'm glad Mr. Coviello brought this into the spotlight. And honestly, I didn't know if I was right. But RSA has now collected the hard data to confirm that businesses are actually losing opportunities because they don't have a handle on IT risk. Art went on to say that security not only needs to be a business enabler, but should be transparent to the business, and should act as an accelerator of innovation. It was probably my favorite key note of the week (that honor might have gone to Malcom Gladwell, but having read the book I already knew the punchline to his stories).

I got into an elevator with Art two days later and took the opportunity to tell him that I liked his address. He seemed to have other things on his mind so it wasn't much of a conversation. I might have also told Art that I liked John Thompson's key note as well. And it would've been relevant because in my opinion, Thompson just reiterated the same message that Coviello's RSA has been articulating since I worked there more than a year ago. I agreed with most of what Thompson said and considered it a testament to the leadership of RSA. (and no - I don't own stock and I'm not waiting on any final pay checks - just giving credit where due)

Monday, April 14

Trip Report: RSA Conference

I just got back from the RSA show and I'm sure I'll need more than one post to cover everything I saw and heard of value. A couple main themes for me were:

  • The move from security as the first-mover to business as the first-mover. In other words, security can't just sit in a vacuum trying to make everything more secure in unmeasurable ways - just spending as much as the budget allows on various improvements. Security requirements need to be driven by business requirements and risk analysis.

  • User Centric identity continues to emerge. In various discussions, there were lots of differing opinions on user-centric identity. Sun stood up an OpenID provider for employees and found that the technology was a little premature for non-trivial uses (like blog commenting or white paper downloads). Michelle Dennedy of Sun thought consumers probably shouldn't be trusted to approve information sent to online retailers (something I tend to agree with). Dale Olds of Novell has some creative uses of user-centric technology in mind that put the enterprise in control of enterprise data and enable the user to maintain control of how they will authenticate to various apps.

  • Networking. This was a fantastic networking event for me. Around every corner were people doing very interesting things that were willing to share ideas. In addition to catching up with former colleagues from Unisys and RSA, I had interesting discussions with people like Mark Wilcox, Kaliya Hamlin, Jonti McLaren, Pamela Dingle, Andreas Antonopoulos, Ari Juels and Sean Kline, James Costello, Jack Daniel, Kristen Romonovich and Sara Peters, Dale Olds, as well as others (I think I lost some business cards).
I really enjoyed the keynotes by Art Coviello and Malcom Gladwell, though I already knew the stories that Gladwell told, having read the book. Coviello talked about Thinking Security where the word thinking is an adjective rather than a verb. Thinking Security adapts to its dynamic environment and changing threat landscape. This is perhaps the future of security technology - to be pro-active in its ability to be reactive. ...more on that later.

I had interesting booth discussions with eEye, BioPassword, Compliance Spectrum, and M-Tech. And even had lunch with one of the great legal minds from Cisco. I didn't catch his name, but he provided some great food for thought around compliance and legal issues. Specifically, he mentioned that some security vendors are trying to force their technologies into law and it sounds like Cisco is fighting the good fight

I'm going to have to stop here for now. I'm sure there will be more to come on RSA happenings.

Article: Business Case for IdM

Here's another article on how to make the business case for Identity Management. It doesn't necessarily present anything new if you've been thinking about this stuff for a while, but the main points are important nonetheless and probably worth reminding yourself about a few times a year when they're re-published in various articles. They present topics like articulating objectives and business value, creating smaller iterative projects to achieve success, and having the right team in place.

Wednesday, April 2

RSA - San Fran next week

Going to RSA? Shoot me an email or contact me online if you'd like to meet for a cup of coffee or Q&A or to invite me to your booth - whatever. I'll be there all week. Looking forward to participating.