Identity Management

Let's keep plugging along. This Incite deals with Identity. Not just from the standpoint of who you are and what you are supposed to have access to, but also how identity information is increasingly being integrated into the fabric of our computing infrastructures.

Incite #8 - Identity Everywhere

Identity becomes the most overused term in 2007, as NAC vendors, systems management vendors, Big Security, and everyone else “identity-enable” their offerings more as a marketing initiative than to add value. Pragmatic CSOs focus on solving problems, embracing non-disruptive mutual authentication and integrating directory stores with network equipment to streamline management and problem isolation. The first inklings of an interoperable “identity network” emerge, making cheap multi-use tokens more compelling to a broader market.

Days of Incite Link: http://securityincite.com/blog/mike-rothman/2007-doi-day-8-identity-everywhere
Incite Redux Link: http://securityincite.com/blog/mike-rothman/incite-redux-july-12-2007

Final grade: C

Let’s start off with the positive. Cisco TrustSec. ‘Nuf said.

OK, it’s probably not enough, but it should be. Cisco finally jumped on the identity-aware bandwagon in December with its TrustSec architecture, which is basically just validating everything that everyone else has been saying for a long time. You can’t really separate out who you are, from what you are allowed to get to. Moreover, you need to enforce that as close to the network fabric as you can.

But the rest of the Incite was a bust. Mutual authentication is not really happening because the banks have no incentive to make it happen. Sure some of them are making a half-assed attempt to train their users about little marks or SiteKeys or something else, but these have had precious little impact on fraud.

The extent of directory store integration with the network is for the devices to suck information from a LDAP data store and then use it to set policy. It’s not like they are externalizing any of their policy or storing that policy in the directory store – now are they?

Finally, the idea of an “identity network” has been a real bust. You can get your little token from PayPal, but then what? Again, I was a bit optimistic here because I know it’s something that should happen – but I forgot the importance of a profit motive.

The reality is there just isn’t a real compelling need. It would be convenient for me as a customer to be able to use the same set of credentials in a lot of different places, but I’m not going to stop buying stuff from Amazon because they don’t play nice. So I’ll put this one in the “swing and a miss” bucket and look forward to getting closer in 2008.

Check out the other posts in the Report Card series.

Identity becomes the most overused term in 2007, as NAC vendors, systems management vendors, Big Security, and everyone else “identity-enable” their offerings more as a marketing initiative than to add value. Pragmatic CSOs focus on solving problems, embracing non-disruptive mutual authentication and integrating directory stores with network equipment to streamline management and problem isolation. The first inklings of an interoperable “identity network” emerge, making cheap multi-use tokens more compelling to a broader market.

Read the rest of the 2007 Incites here.

Identity is one of those words that security professionals hate. It can mean everything to everyone, or nothing to no one. Most folks think Identity just refers to single sign-on and provisioning, which remains a pretty big business. But I’m pulling back on my direct coverage for IdM topics, because it’s big, ugly and pretty much every vendor sounds the same.

Which makes it a lot different than the rest of the security disciplines I follow. NOT!

But back to the topic. Identity is increasingly being used as differentiation and leverage for network security gear. What does that mean? It means that some brain surgeon finally figured out that it’s a big pain in the ass to use IP address as the way to implement policies on users.

As I roam around and connect into the network from all sorts of places, my IP address is pretty much useless. What I need is a way to map the IP address to my identity and provide a location-aware enforcement capability so that “Mike Rothman” can only get to the resources that I’m supposed to, depending on where I am.

Thus there is a big rush to integrate all security equipment with LDAP and Active Directory. But here’s the rub. Whenever every vendor is doing exactly the same thing, it’s not novel. And even if a vendor has to totally re-architect their offering to make it identity-aware, which won't happen for 2 or 3 quarters - they’ll still announce that they are all over "identity."

So customers are confused for a change. Being the Pragmatic type of guy that I am, I say we get back to focusing on problems, as opposed to paying attention to marketing hype and other fabrications. Don't worry about "Identity NAC" unless you have a real, defined (and budgeted) project to implement NAC (either pre- or post-connect).

Worry about the problems you know you have. How about authentication, especially if you are a bank? Got that one licked. Yes? Then you are probably lying, even if FFIEC says you need to be done. Address those issues. So work on mutual authentication projects to make sure it’s harder to Phish you. Think about other less token-centric authentication technologies. See as keystroke dynamics improves and starts to make an impact in 2007.

There is also a movement to build “identity networks” that will allow stronger authentication credentials to be used across web sites. To use my own business as an example, I use PayPal as my credit card processor. I could get an authentication token from them for free, but at this point, I’d only be able to use it for PayPal, and that’s not interesting. But if I could use it for my brokerage accounts and banking, that would be much more interesting – and I’d actually carry one around with me.

Will it happen in 2007? Nope. But as more and more consumer brands look to differentiate on security, there is a clear opportunity for an “identity network” to emerge providing interoperability. There are lots of hurdles, but given the compelling value to customers, it’ll happen by 2009.

Here is the Report Card on Incite #3 on Identity Management.

Incite #3 - Who are you?

Identity Management (IDM) breaks out in 2006, as ROI-driven password management and single sign-on (SSO) initiatives are deployed en masse. Smart users increasingly figure out that strong and centralized IDM provides good enough authentication and authorization for compliance purposes, accelerating market growth in 2H 2006. Yet, identity federation continues to lag in a cloud of useless vendor bickering and standards immaturity until mid-2007. Token-based authentication finally hits the wall, as passwords remain good enough and no compelling alternative appears.

Grade: B

Original Days of Incite post: here
Incite Redux post: here

Have I mentioned that 2006 was a learning year? I learned a lot about what is important to focus on and what isn’t. Clearly Identity Management continues to be a critical part of the infrastructure and a lot of money was driven towards IDM products and services.

But this largely seemed to be a large company phenomenon, since their pain in the most acute. It’s pretty hard to deal with a hundred users, absolutely brutal when you start talking about tens of thousands. So IDM continues to be driven deeper and deeper into the large enterprise.

We also saw a lot of folks using the compliance “budget” to fund these projects. Provisioning and more importantly, de-provisioning are clearly compliance exposures and IDM (at least the provisioning engines) alleviates those issues. Moving forward we will still see lots of IDM being driven into the large enterprise.

What I missed is the renewed importance of authentication. FFIEC was one driver, but phishing and customer notification laws continued to shine the spotlight on faulty authentication processes. And the ability for phishers to (in limited cases) successfully use a man-in-the-middle attack on a one-time password authentication scheme continues to show the need to refresh those technologies.

RSA getting acquired at a big premium by EMC speaks volumes for how important authentication and data protection are to enterprise security moving forward.

Federation continues to make small inroads, again largely for larger enterprises. But I wasn’t due to standards confusion as I projected in the Incite. It was more due to the need to set up business relationships with trading partners to get Federation going. That’s not going to change, so Federation continues it’s slow path to the mass market.

Overall, the Incite was not bad – but not great. I’m rethinking how identity fits into the Pragmatic Security architecture and that will impact the depth and level that I cover the topic in 2007.

In reading this blog post from Douglas Schweitzer (here) this AM, I continue to be amazed that the viability of passwords remains in question. Let me say unequivocally, passwords are here to stay. Period. Weak passwords, strong passwords, pretty much all passwords. Why? Because they are easy and "good enough."

Oh crap, I hear you sighing again - there he goes with that "good enough" spiel again. Well, it's true. For about 90% of the stuff we do online, a marginally strong password is good enough. And I want to be able to store those passwords in my browser. So I'm really pissed about the Firefox 2.0 XSS issue that forced me to delete all my stored passwords yesterday (thanks to the Mogull for the heads-up here).

Douglas' point in the post is that passwords are hard to administer and they are unsafe (who knows when a key logger is on a machine and all the passwords are compromised?). That's a load of crap. There are password management tools that allow users to reset their stuff in an automated fashion. What's hard about that? And the idea that passwords are unsafe has everything to do with what you are trying to protect.

He relies on a December 2005 Gartner report that predicted: "By 2007, 80 percent of organizations will reach the password breaking point and will need to strengthen user authentication with alternative security methods." I think if you are talking about 80% of banks, they'd be right because of the FFIEC guidance on multi-factor authentication. But there is a snowball's chance in hell that 80% of ALL organizations will strengthen user authentication by even the end of 2007. Maybe this research is taken out of context, but it feels similar to the prediction Bill Gates made almost 3 years ago that "spam will be solved in two years." Not so much.

So, according to Douglas, "With passwords gradually falling out of favor, the biometric industry has ably stepped up to the plate to fill the widening void." Again, not so much. I've been in this space a long, long time and since I started, we've been talking about biometrics. And not a damn thing has happened. Is it because "users are not comfortable with what they don't understand?" I don't think so. You actually think that the idea of a fingerprint reader is so hard to grok?

It's because people just don't care. They are still doing their transactions with passwords and that is just fine for them. There is no catalyst to get them to look at something more secure and that doesn't even bring up the continued technical issues that plague biometrics (like accuracy and deployment of readers).

To be clear, I believe in a concept called "contextual authentication." Basically this means that you use the right amount of authentication to provide adequate security for what you are trying to do. Logging onto your web email account has one level, while getting access to your brokerage and/or bank account online should have another. And a much more stringent level should be required if you are transferring large sums of money or doing something that is just uncharacteristic (like withdrawing money from Senegal if you live in Topeka).

I do believe there is a role for semi-biometrics type technology like keystroke dynamics. Why? Because it's transparent to the user. They don't even have to know it's there, and there is no requirement to distribute readers. As that technology matures, I suspect we'll be seeing a lot more of it baked in.

And I am pretty indifferent relative to password length as well. Passwords can be broken, regardless of how long you make them. But the idea of having a longer one without requiring stupid capitals and special characters makes sense.

But I've just got to push back on this death of passwords crap because it's just not right.

Dealing with Oracle when you are an analyst is loads of fun. There is no more arrogant company out there. I asked for a briefing on their identity management stuff early this year, and I got the "read our white papers, they'll tell you everything you need to know." It was clear, they didn't have time for analysts that don't have a G or F in their company name.

But that's OK. Oracle has never really been taken seriously in the security space, so it's not like I have a lot of folks asking me about what they are up to. But given the amount of money they've spent on acquiring a space in the Identity Management space and the fact that data security is becoming more real (EMC/RSA being a pretty significant data point), I'll need to suspend disbelief and take another look at what Oracle is up to.

So I was pleased when a little birdie gave me a sneak peek at Oracle's "security strategy" briefing for 100's of analysts customers around the world. Shockingly enough, they claim to be the "leader" in security. That's a laugh. But I'll get to that.

First, what does Oracle consider security? Basically it's the stuff they sort of have. Access Control (but they mean Identity), data privacy (database encryption), and compliance (whatever that means). So they are hovering around in what I call information or data security and Identity in Pragmatic Security lingo.

They make a number of bold claims, including integration amongst the products and that their security works consistently across all of their applications. Huh? So they've gutted PeopleSoft and JD Edwards and Siebel and now have a common security model. Maybe on the PPT, but not in reality. Oracle does have a bunch of crap in a bag. But to say it's integrated is insulting the intelligence of the folks that buy stuff from them. Though I know that Oracle holds their customers in high regard. Kind of like CA in the days of yore.

Basically, all of this cool integration and the like is on a Fusion roadmap. Due to the wonders of federation and standards, many of the products (at least on the IAM side) can work together. But that ain't integration, to be clear.

What about data privacy? Well anyone that's even tried to do sophisticated logging on a high transaction production database knows it kills performance. And to try to do field level encryption? No way. Unless you are running at 10% utilization that is. Then you've got plenty of headroom to drive your DB to 90% utilization. Performance has never been their strong suit. But that's what bigger servers are for, no?

And compliance? As I've said a million times, compliance is a process not a product. It's very easy for Oracle to make it a pillar of their security strategy because it doesn't mean anything. So if you can get logging to work, then you can pull a report on it and BAM! You are compliant. Did I mention that I hate compliance lately?

Now that I've rained all over their parade, I'll begrudgingly admit that Oracle will be a factor in data security. If only due to their market presence. Whether we like it or not, Oracle controls much of the data in the largest enterprises in the world. That's a pretty powerful position to be in, but it's far from a mandate to control information security.

To date, no one has a compelling "big story" as to how data security evolves over time. And that creates opportunity for other big players (like EMC, IBM, Symantec and Microsoft) to codify that story and take the thought leadership high ground. It also creates a window for smaller data security players to gain a foothold and thus become acquisition bait.

But Oracle always has Plan B, just in case they can't tell the big story and their roadmap falters - it's the checkbook. There is the old saying that "the enemy of your enemy is your friend." Well over the past few years, Oracle has bought both their friends and enemies until there isn't much left standing.

But these were mature markets. Very much like the CA of old. They are milking the acquired revenue streams. But data security ain't mature. There are no revenue streams to milk.

So Oracle can crow all they want about being the leader of this or the leader of that. Soon enough they'll figure out that security is different. They'll need a more compelling vision for the customer. They'll need to get some application security technology (like a web app firewall). And they'll need to be more respectful of a heterogeneous world.

Oracle is not Cisco or Microsoft. Applications have inertia, but it's nothing like the inertia of the network or the desktop. With the advent of SOA, applications and data can be and will be anywhere and everywhere. A strong disruptive application is much more likely to be adopted than something new in network plumbing or on the desktop.

Maybe they can learn a lesson from CA, which proved that what goes around, comes around. Even if it takes years. But probably not.

In this week's column, I go into the EMC/RSA deal - but more from the perspective of why all of the detractors have it wrong. I seem to be one of the only folks that is positive about the deal, but I like it that way. If I agree with everyone, I'm not doing my job.

I'll also note that I have to be more careful about using cliches like "game-changing" in my mass market columns. I do use that term here, but then I went on to say about how the term game-changing makes me want to puke. Surprisingly, that part got edited. Arghhh!

But I guess that is part of the game. We'll see how this deal plays out over the next few years.

http://www.networkworld.com/columnists/2006/071706rothman.html

Technorati tags: EMC, RSA, security, M&A, data security, authentication, identity management

One of the key issues for any type of application is integration. Whether you are talking about databases or application servers or whatever, you typically need some duct tape and bailing wire to make everything work together. Part of the promise of web services was to eliminate a lot of the integration that is required at all levels of the stack.

To be clear, I am not an applications guy. I left that world for the glorious space of networking and security in 1991 - and I haven't looked back. I'm an infrastructure guy - bigger pipes, deeper moats, more power!!! But I do get that we build (and secure) the infrastructure to support the applications. To date, most applications are neither network nor security aware. They assume big pipes and build in their own security. It's been that way since the beginning of time. Every attempt to get application oriented folks to externalize security functions has gone over like a lead balloon.

I should know. Back in 1998, I started a company called SHYM Technology that was going to externalize authentication, encryption and digital signatures via a middleware layer between the application and a public key infrastructure layer. Let's just say that didn't work out too well. The application vendors only wanted to cash our partner program checks and the PKI vendors decided to compete with us. But I did learn a lot. You always do when you take $30 million of someone else's money with you.

I apply many of those lessons every day and I saw with great interest Novell's announcement of their Bandit open source initiative. NetworkWorld's coverage is here. In a nutshell, Bandit is trying to externalize how applications use identity information. By establishing a common set of application calls, there would no longer be the need to build role-based security models and identity stores into applications. They would be handled in the infrastructure.

I wish there was an open source model when we were doing SHYM. We had to do all the integration work ourselves and integrating anything with SAP and PeopleSoft is a bear. And that's on a good day. If we had a community that would have built the connectors, we would have been able to magnify our impact before the PKI vendors had a chance to see our threat and respond accordingly. But we didn't, so we didn't. And that's why I'm not on a beach somewhere sipping a daiquiri in a friggin' pineapple with an umbrella in it. But I'm not bitter. Really.

In a nutshell, application support is the biggest threat to Bandit. Sure, everyone is jumping on the bandwagon. IBM, Microsoft, Liberty, Symantec all think this is great. Where's SAP? Where's Oracle? Those are the folks that need to buy into this. And Microsoft's Identity group can say all sorts of great things (Kim Cameron is quoted in the article), but when will Microsoft Dynamics support Bandit (or any other interface)?

Application support is where the rubber meets the road. I don't want to sound like a wet blanket or anything, but that will dictate the success or failure of Bandit. I think it's a great idea and sorely needed. It fits perfectly into my Pragmatic Security architecture, which has Identity as a separate layer/domain being leverage by infrastructure and the applications. But making that happen is a long and arduous process and it's not clear the application vendors want to see it succeed.

Let's take Oracle for example. No I haven't talked to them about this (in fact, they make it a habit not to talk to analysts about anything), but indulge me for some speculation. Why do you think they've made such heavy investments in Identity? I think it's because they see it as a way to differentiate their applications with SAP at the high end and Microsoft at the low end. They want to make it really easy for Oracle application customers to add the identity management layer. They'd also like to see Oracle Identity customers move towards their apps. So how interesting is it for Oracle to be able to support all identity systems through a standard API? Right, not very.

Rock on Bandit! I wish you the best and I hope a huge community develops around you so folks like Oracle and SAP don't have a choice but to support your interfaces. But be wary of those Sheriff Buford T. Justice(s) in application vendor garb lurking around every corner. They are not your friends.

When I was a marketing guy, RSA was the company everyone loved to hate. Not because they necessarily did anything wrong, but me and many of my security marketing brethren hated paying the RSA Conference ransom. This was especially an issue during the tech meltdown because you couldn't hit a customer with a 12 gauge shotgun at the show. There were none to be found.

And the quiet but steady erosion of their installed base of tokens made the company seem tired and on the long slippery slope to oblivion. Folks like Vasco and Secure Computing were making the token business about pricing, instead of functionality. It certainly didn't help that they bungled the Securant acquisition, basically getting into the space of web access management right as it peaked, paying a pretty significant premium.

A few earnings misses, the departure of a well respected CFO and VP Sales and Marketing and the wheels seemed to be falling off the bus. Clearly it was just a matter of time before one of big security aggregators bought RSA to milk their installed base.

But now a very strange thing has happened, RSA is turning it around. You can count on your fingers the number of companies that have turned the ship. They announced a Q1 (with record revenues and beating earnings by a penny) and a good outlook for Q2. Of course, one strong quarter does not make a turn-around, but things look good. There is buzz around RSA again.

The reason is pretty simple. They bought a company called Cyota back in September. Cyota provides what I've dubbed "contextual authentication" services to most of the big banks around the world. Using their software, the banks can decide how strongly they need to authenticate a user for each specific transaction. So now, the banks can just require a password to check your balance, but can require a series of stronger methods if attempting a high value transaction.

Contextual authentication is the next big thing in the authentication space. No one really has a competitive offering, so RSA taking Cyota out of play was a strong move.

But more importantly, it gave the RSA field something strategic to talk to their customers and prospects about. Something the reps understand, which is authentication. That web access management stuff is different. So is provisioning, which they initially OEM'd from Thor (who was subsequently acquired by Oracle). RSA had a hard time selling those other applications because they weren't tokens.

At the same time, identity management became front and center on the project plans of many of the large enterprises and RSA has a decent story. They stick to their authentication knitting and add value to the big stack players. The Sign-On Manager is well regarded. Since customers are looking to add to their RSA offerings the renewal premium for all of those tokens goes down a bit easier. In many cases they are buying more and/or new stuff from RSA. This has a powerful effect on RSA results and momentum.

As I mentioned, one quarter does make a turn around, but the trend lines for RSA are moving in the right direction.

I recently published an article on SearchSecurity.com regarding Federated Identities. This is becoming a hot topic as many organizations have some type of internal identity infrastructure in place and are looking to extend that beyond their enterprise borders.

Read the article here: http://snipurl.com/o94n.

 

It's bad enough to have to take a red eye flight back from the west coast, but having to make connections adds insult to injury. But, in order to use my frequent flyer miles (and I still have a ton), sometimes you have to compromise a bit.

So I'm in Chicago very early on Friday morning with about 90 minutes before my flight leaves. Being quite a cheapskate, paying the $7 for WiFi access made me even grumpier than I normally am, but I had a lot of work to do so I paid the money. Then I proceeded to spend the next 10 minutes setting up an account with the O'Hare WiFi provider and taking care of the financial transaction.

It made me think that I can't wait for the promise of Identity 2.0. How cool would it have been to just have presented a special InfoCard (maybe not the specific InfoCard technology, but something like it) with my business credit card information and took care of the transaction automagically? The WiFi provider would have seen my assertion about who I am and what card I want to use for the transaction. They could then check with the credit card provider to ensure the authenticity of my credentials. It would be all transparent and I would have been online in less than a minute.

Instead I now have yet another account with yet another provider for me to forget. There is no way I'm going to remember my credentials, so the next time I'm in O'Hare I'll need to reset my password anyway. Another 10 minutes burned.

I'm sure some wise ass is going to tell me to get a Boingo or iPass account, which provides transparent authentication, and they would be right. But, I'm not on the road enough to warrant spending $30/month, so that won't work.

So, I'll just suffer through the 10 minutes of overhead each time I need to connect somewhere, until I get so pissed off that I get that EVDO card I've been spying.