Friday, August 29

Digital ID World - Bloggers Unite!

It looks like a number of you Identity bloggers will be at DIDW in Anaheim. Anyone up for a bloggers meet-up? ...maybe just a happy hour somewhere? ...or during one of the exhibit area receptions?

Dave Kearns?
Mark Dixon?
Ian Glazer?
Who else is going?

Let me know by leaving a comment or contact me directly.

[UPDATED 9/4 - details are here]

Tuesday, August 26

A few interesting Identity findings

User-Centric vs. Enterprise Identity

Dave Kearns offers a concise explanation of the core difference between user-centric identity and enterprise identity. His summary:
Enterprise-centric identity management is really all about tying together all the activities and attributes of a single entity into a readily accessible (and reportable and auditable) form. User-centric identity is about keeping various parts of your online life totally separated so that they aren’t accessible and no report can be drawn.
I like the simplicity of this explanation. I think it really captures the essence of the difference in an understandable way.

Management Profile

In this article from ComputerWorld, the Director of IS, strategy and architecture at Universal Service Administrative Co. is profiled. He talks about his current project:
An IAM framework will allow for customer information of applicants and contributors to remain consistent across IT platforms while spanning new and legacy systems and applications. My goal is to have one authoritative repository for contributors' and applicants' access information that will be used in managing a secure access control infrastructure. I believe that identity and access management will become an underpinning technology that IT leaders need to address.
He goes on to say that Identity Management is the most critical technology of the year. It's nothing earth shattering, but I always give priority to real customer insights.

Interesting Service Offering

I've discussed the idea of outsourcing identity and managed identity services, but CoreBlox, a company founded by ex-Netegrity folks, have this posted in their service offerings:

Dedicated CA SiteMinder Support Professional

It's an interesting twist on managed identity services and one that I think would resonate with customers. I've known a number of companies who would've liked to just outsource the identity support role to someone who knows what they're doing -- without having to hire and without having to pay for a full-time resource who sits around waiting for something to go wrong. One of the things I like about this is that CoreBlox isn't trying to provide a support professional for any identity system. They're focused on the technologies that they know.

So, if you had a provisioning solution from Courion or SAP and Siteminder for Web Access, you might need to go to two different people or companies to get the right support. BUT - that focus on core expertise is a recipe for success (especially in a support role). And likely still more cost effective than hiring, training, and retaining someone to support these complex systems.

Friday, August 22

Criminal Data Loss

Seems like some people just aren't paying attention. Every time I think we've gotten past a point as an industry, someone proves me wrong. I would think by now we wouldn't be carrying very large highly confidential data sets on unencrypted USB sticks.

Can you imagine how the exposed data on 130,000 criminals will be used? I'm sure someone would find a way to monetize a list like that. I can see a few angles:



Dear _____,

Why break into homes and cars when you can steal from the comfort of home?!? Try our latest web site phishing kit and collect credit card information from unsuspecting shoppers. No black ski masks, no up-front discovery work, and no commute!


Or maybe...


ATTN Hiring Manager:

Are you having trouble staffing up for your next big heist? Contact CriminalTemps where we can provide full or part time criminals. 100% no-police guarantee!!

Thursday, August 21

Insider Threat: Crime of Opportunity

For the past few years, I've talked to many people about the insider threat. I don't spend too much time focused on the hardcore criminal element that plan an attack against their employer. I have mostly been thinking about the 35% of employees that claim they need to break policies in order to get their jobs done (see my post on Insider Threat - By the Numbers). And the unknown percentage of employees who break policies without being noticed (or in many cases without even knowing it).

A few days ago, security researcher Ira Winkler articulated one aspect of this very plainly.
Why is there a sudden epidemic of violations of sensitive personal information? The answer is, Because it’s there.
The scenario of an employee viewing sensitive information that they shouldn't be viewing is a fairly common example of real-world insider security breaches. While it won't likely lead to a $7 Billion loss, it could mean a failed audit, bad publicity, lost customers, or other lost business opportunities. In today's transparent business environment, it's only a matter of time before juicy information is made public. State Dept. employees were probably snooping on passport information for years before they found the 2008 presidential candidates. Then, it got out and became a news story.

Winkler goes on to note:
Anyone developing or maintaining information just better accept that their fellow workers will look at information and that they need to track and limit access. More importantly, they better look at their audit logs and specifically search for violations.
I agree. One of the scenarios I often run into is where administrators require access to files (in order to manage access) but they don't require access to the information within those files. A good example is the admin who controls access to HR files and has the ability to open offer letters containing salary and other personal information. To Winkler's point, if the capability is there, they will likely open the files to take a peek. After all, they have been explicitly granted access to those files in order to do their jobs. Doesn't that make it OK? No. And to Winkler's final point, the admin would probably exercise additional restraint if they knew that file access was being monitored.