Wednesday, April 22

Updates, NetVision, Oracle, etc

I haven't been blogging much this month. I was probably more active on Twitter when I had small contributions. ...and I blogged at the NetVision blog. Some of it was specific to what we do, but there are also some useful Tech Tips like posts on Active Directory Last Logoff and Last Logon - Attribute Confusion.

--

I've also not yet weighed in on Oracle-Sun. In a letter, Oracle's President (Charles Philips) says they're planning to:

Engineer and deliver an integrated system—applications to disk—where all the pieces fit and work together so customers do not have to do it themselves. Customers benefit as their systems integration costs go down while system performance, reliability, and security go up.
That makes sense from a business perspective. The key Sun technologies that were clearly interesting to Oracle are hardware, Java, and Solaris. And a hidden dark desire perhaps to mold MySQL as a non-enterprise solution so that there's no competition with Oracle's flagship product line. ...maybe that's just a bonus.

My personal opinion is that Identity Management had little or nothing to do with the purchase. In fact, it's probably considered a headache to the acquisition team. Clearly, it gives Oracle the number 1 spot in terms of IAM market share. And arguably the best suite of IAM products on the market. But, I don't know what that will mean to Oracle in their quest for world domination.

I was part of a very talented IAM team that got absorbed into a multi-billion dollar organization for which IAM was not a priority. And the team quickly disintegrated. I don't think that will happen at Oracle, but the IAM product teams will need to show management a strong revenue number to get the attention they'll need to integrate the Sun and Oracle suites properly.

Deborah Volk at Identigral wrote a nice post on the two product lines. I haven't used either enough to speak intelligently on which product might win the starting position. And Ash Motiwala captured one of my first thoughts. People always chose Sun because they were the big guy. The product wouldn't 'go away'. Well, there goes that theory. To quote Andre Durand from the NetworkWorld article:
This is yet one more reason companies should consider standards-based, loosely coupled approaches.
Perhaps the most intriguing aspect of this acquisition for the IAM world is the combination of all of those bright engineering minds in one room. The Sun Directory team, the OID team, the OVD team can join together and help shape the future of directory services while the Oracle Access Manager and OpenSSO teams can do the same for their piece of the puzzle. ...assuming of course that big-company bureaucracy doesn't get in the way.

[UPDATE: link to Felix Gaehtgens' Oracle-Sun product line comparison]

--

Speaking of innovation, one last thing before I close - NetVision announced a Series B round of funding today. The goal is to enable the innovation that we started with the industry's first managed service for directory and file system audit and monitoring. Be sure to keep your ear to the ground as we make another innovation announcement in the weeks to come.

Wednesday, April 1

On Multi-factor Authentication

Luther Martin of Voltage Security posted a very interesting post on the future of multi-factor authentication. In it, he challenged commonly held beliefs on the subject. Specifically, he writes:
It’s often claimed that multi-factor authentication is inherently more secure than single-factor authentication, but if you look at the history of this claim,it actually came from a vendor that wanted to make their multi-factor authentication product sound better than competitors' products.
(I'm not sure if these are his thoughts or if he's saying that was the consensus at a recent X9 meeting.)

Martin goes on to suggest that using two authentication mechanisms of the same factor may be as secure as using two factors and lays out scheme A & B to discuss.

So here's my thoughts:

Wouldn't scheme A be more secure because you can't brute force it? Isn't that the whole point of having the second factor? All passwords can be brute-forced given enough time. Having the second factor removes that threat.

Of course, you could implement a strong password plus a kill switch after 10 bad tries, but that still relies on the user to implement safe password storage. And I generally think it's better to remove any responsibility from the end-user (especially if there's a convenience trade off).

Requiring users to carry/remember two username-password combinations for every system doesn't seem practical. Security will fail if users try to subvert it for the sake of convenience. And they will.

Usability needs to be a key consideration. A token/pin combination is a secure and easy-to-use way to beat the threat of brute-force attacks and poor password management. ...as is having a certificate installed on a particular PC and other second factor solutions.