Friday, July 29

FireFox Sync: Ease of Use and Security Implications

Although, I most often cover business-related identity issues, this post is going to focus on an issue for home users (that also applies to business). In the past, I wrote about the differences between Web SSO and ESSO. And I recently wrote about Mozilla's BrowserID which is focused on home users but is more closely aligned to Web SSO than today's topic.

I've used a variety of browsers over the years from Netscape 2 and IE 3 through today's versions of Chrome and FireFox. Although it was considered uncool by many, I primarily used IE for a number of years. But today, I almost exclusively use FireFox 5. It's fast, intuitive, good security features, control over privacy, extensible via plugins, etc. But one of the killer features for me is FireFox Sync.

I have all my bookmarks and preferences synced across multiple computers and my smart phone. It's extremely convenient and even encouraged me to finally organize my bookmarks - something I hadn't really done in the 15 years I've been online. But, there's an aspect to Sync that's incredibly dangerous.

It's dangerous because it makes life so darned easy. It's a fantastic feature from a user perspective. Sync includes browser-stored passwords. So, sign in at home and get automatic logon from work and mobile without needing to remember or re-type passwords. I can't count the number of times I was mobile and couldn't access a site from my phone because I didn't have the password. With Firefox Sync, my passwords can be automatically sync'ed across all my devices saving time and making life easy. My typical blog audience should already know where I'm going with this. 

When you organize your sites in bookmarks and auto-save passwords, you make it very easy for anyone who accesses your workspace to get quick access to ALL of your favorite sites. How likely is it that someone could get a hold of your smart phone or laptop? Well, it's not unlikely. Here are some stats. Losing a phone used to mean shelling out a few bucks for a new one. Today, it means someone could get immediate access to every site you use with your own credentials. You've made it way too easy. You even have a folder for your banking sites so they know where to quickly find all your account information.

The above scenario (which makes the user experience seamless and easy) is the security equivalent of leaving cash on your dashboard with the car unlocked, the windows rolled down, while you walk around the mall handing out maps that show how to find your car.

Firefox Sync raises your risk profile and should only be used in combination with locked down devices, smart selection of which sites you'll include in your bookmarks, discipline to not store sensitive passwords, and you should set a master password so everything isn't left wide open. The tech security industry is getting better with each new release, but we're still in the infancy. We need to stay alert.

Happy surfing.

Friday, July 22

Introducing FishEye Group

Two weeks ago, I updated and re-announced my Identity Management list and since then I've added a dozen or so more entries. Among the new ones, I had the pleasure to add a newcomer to the Identity Management space. My good friend and long time colleague Kishan Malineni has finally incorporated on his own and will bring his talents to the identity industry as FishEye Group. Full disclosure: He asked if I would assist with business strategy and I accepted an unpaid position on the board. And I'm excited to help.

If you don't know Kishan, it's because he hasn't spent much time blogging, tweeting, or hitting the conference circuit. He has spent 50+ hours a week for the past decade hands-on actually building identity management solutions (and winning the hearts of CIOs and project sponsors). Everybody that has worked with him has positive things to say about his technical skills, integrity, work ethic, and positive attitude. Most recently, he has earned an excellent reputation as one of the industry's leading integrators of Oracle's OIM 11g. In a previous role, he developed the first real-world implementation in the higher education vertical (possibly globally) of Oracle Identity Manager 11g. He also developed the industry's first set of cloud connectors for OIM.

FishEye Group has hit the ground running with it's first project already underway and is in the process of putting partnerships in place and placing a number of additional projects on the calendar.

If you're looking for assistance with OIM 11g, product evaluations, identity management strategy, or other identity-related services, please give Kishan a shout and hear what he has to say. His pragmatic approach and enthusiasm for the technology will no doubt win you over.

Monday, July 18

BrowserID a Threat to Individual Freedom?

The folks at Mozilla recently introduced BrowserID. You can compare it to OpenID, but there are some key differences. The basic idea - a single set of authentication credentials across multiple sites and simplified logon to each as facilitated by the browser. Ian Yip took an interesting look at BrowserID from the an Identity Management industry perspective and how it relates to what we call identity federation. For more details on how it works, check Lloyd Hilaiel's post.

But that's not what I wanted to write about. I'm more interested in SC Magazine's article headlined Mozilla BrowserID "seriously flawed" and Roger Clarke's Reaction to Mozilla's BrowserID Proposal, which was the subject of the SC Mag article. My first point is simply: go read it. It gives you a lot to think about. My second point, though, is a little more complex.

Clarke makes some interesting and compelling arguments about Internet privacy and individual freedom. I can't say that his logic is incorrect or that his points are invalid, because they're not. But his anger (characterized by phrases like "seriously flawed 'identity management' schemes" and "its design is seriously threatening to individual freedoms") may be a bit misplaced.

I agree with Richard that BrowserID is not THE solution to solve the Internet's authentication and privacy problem. But that's not the challenge that Mozilla has sought to solve. Not every site that requires a logon is a major privacy risk. I have probably 50 or more web site accounts to manage and I welcome solutions to my credential management problem. I'm a security guy but I will gladly introduce some level of risk to make life easier when browsing a large number of those sites. We all do to a degree. e.g.) It's less risky to go to a library anonymously to look something up in a book but the Internet at home is just so much more convenient that we risk being eavesdropped or introducing malware to our systems every time we use it.

It reminds me of the old argument that two-factor authentication is useless because it's susceptible to MITM attacks. BrowserID won't be a silver bullet for all authentication scenarios and maybe not even for ANY scenarios that require high security or strong assertions about the user, but it could still be a useful way for end-users who want to simplify the logon process. Claiming that BrowserID is seriously flawed because it doesn't address issues outside of its own scope just seems wrong and even somewhat irresponsible. The IT industry's version of media sensationalism maybe?

I don't mean to pick on SC Mag - the title got me to read Richard's article, which is the purpose of a strong title, but I'm pulling for one of these solutions (OpenID, CardSpace, BrowserID) to make it into the mainstream so that my life will be a little easier. And creating hysteria and FUD around them doesn't help with user adoption.

Wednesday, July 13

Security Policy vs. Operational Needs

I've written a number of times about human behavior and end users. My point has been that security needs to be: (1) easier or cheaper (2) built-in and transparent and (3) continuous / not periodic. Yesterday, I heard the problem described in an interesting way.

I had the opportunity to sit in on a webinar provided by LogicTrends and CA. The topic was privileged accounts and compliance. I believe it was LogicTrends' CTO Phil Lentz who described part of the problem as this (paraphrased):
Security Policy doesn't always match operational needs or expectations.

What I believe he meant is that system administrators ignore security policies for tactical reasons. They are almost forced to breach policy in an effort to get their jobs done more efficiently. I don't think that's anything new, but I've traditionally chalked it up to human behavior. Lentz's description lead me to think the problem was more systemic.

It wouldn't matter how disciplined the person sitting behind the keyboard is. There is an inherent disconnect between the person's operational duties and the organization's security policies. It's an interesting perspective and may indicate that there's hope. By creating more synergy between policy and operational procedure, the human-nature problem can be at least muted if not eliminated. Again, not a new concept, but a new angle by which to see it.

Thursday, July 7

THE Identity Management List

After a few years of neglect, I finally updated my Identity and Access Management list. I added a few vendors who weren't around 2-3 years ago, removed some who have since disappeared, and moved others under their new parent companies.

I'm sure there's a bunch missing and I can't do it all myself. If you're in the identity management space, please take a look and make sure you're represented. There's a contact link if you'd like to request an update. And thanks to those who have already submitted over the past few years!!


I've found it convenient for my own personal use over the years to have this list all in one place. I've also gotten notes from others saying the same. And if you've been in identity space for a while, it might be fun just to see where all those early companies ended up.

It Looks Weird.

I plan to improve the look and feel at some point, but right now I'm just trying to get the data right. I'd like to tag companies by capability and provide a more interactive UI but I'm not there yet. Bear with me - as you know, it's tough to find the time.