AuthenticationWorld Blog

Last week, I chatted on the phone with Terry Neely, CEO of PlaSec. His company produces standard interfaces which allow the enterprise to control different physical access control panels and doors and interface these to IT identity management systems. They are one of the first signs I have seen beyond Quantum Secure, of what I call "the commoditization" of physical security. That's what this blog is going to discuss.

Historically, physical security manufacturers produced their own door control, control panels, database and their own admin systems. There was competitive advantage for them in that there was a great different between how different systems worked. The manufacturers business model was to install their own hardware and the sales reps were accordingly given sales incentives to achieve this.

Then along came TCP/IP, digital convergence, off-shore manufacturers of access control devices, enterprise identity management and regulatory compliance. This is bringing to physical security what I call "commoditization".

Commoditization is the process of producing goods at low price points. Today, one can make a case that there is a different between cameras used BUT the differences are quickly diminishing. Thus no longer is the hardware used such a large difference between vendors.

When commoditization meets digital convergence, then you have what is commonly referred to as a market disruptive force. Now new protocols are emerging such as PSIM that allow physical security devices to interconnect with identity and access management systems. You also have companies like PlaSec appearing that can provide universal interfaces to different hardware components.

It is my own personal opinion that the physical security market is entering the very early days of a big shakeout. Many large enterprises are going to begin taking the decisions to purchase their physical security systems away from Facilities and transferring this over to CSO's and CIO's. They will do this because:
* Regulatory compliance - Quickly produce reports on who had access to what with one mouse click on an integrated identity and access management system that combines physical and logical security
* Reduce costs - Lower their overall on and off boarding costs by centralizing this function and linking it in the end to their identity and access management systems
* Security ops - Integrated physical and logical security systems to detect and respond quickly to combined physical/logical attacks

This means bad news down the road for physical security manufacturers. Those that keep to the past will go in the door to the Facilities Managers trying to sell them new hardware i.e. replace all that you have with my system. This argument will diminish over time as enterprises begin to swap out only pieces of a system with low cost generic parts.

Manufacturers will also face new competitors coming out of the IT space. Enterprises like Cisco are a new emerging competitive threat to physical security manufacturers. They have the ear of CFO's, CIO's and CSO's. They will provide their own physical security interfaces that easily connect to identity and access management systems.

Large physical security enterprises like ADT have advantages in that they provide 24 hour security services. However, for large enterprises, these services will come under increasing pressure to merge with IT security ops. In my long term view, these services will come under price pressure as combined physical and logical security services will be moved off-shore more and more.

I also think that over time, ERP vendors will move into this space. They control the identities, they produce access systems and they will be become responsible for integrated physical and logical security ops. This will be bad news for physical security manufacturers when this happens. They will not only face increasing pressure from the hardware side BUT they will also have to compete on price points with the likes of Oracle who can slash margins on their physical security side and then make them up from their database and many other vertical applications.

We are at the early days of the disruptive market place. Companies like Quantum were at the leading edge a few years ago. Now you have companies like PlaSec emerging and new protocols like PSIM. Cisco is on the move in this market. It is still the early adopters phase of the market.

However, over the next two to three years we will move into the beginnings of the wider portion of the bell curve. That means trouble for those physical security vendors who haven't repositioned. It also means lower operating and capital costs for their customers who will increasingly move to new vendors who offer them services at lower price points and allow them to easily integrate with their identity and access management and security ops systems.

Regards,
Guy

Medium to large enterprises spend millions to tens of millions of dollars or more each year on security. The sad part is that much of this can be overcome by social engineering and/or coordinated physical/logical attacks.

Why would a potential commercial, criminal or intelligence attacker try and penetrate through your logical perimeter defenses or try to penetrate your sophisticated electronic badging system when there are so many easy ways in? Instead they could tailgate in a door, install a wireless network device on one of your internal network ports and begin figuring out the internal network. Or, even easier, they would pay one of the janitorial crew to install keyboard loggers on key personnel's desktops, gain all their uids and passwords, read over whatever they have typed in their desktop for the last days, weeks or even months and then begin to prepare an attack.

All of which makes mincemeat of the systems that people like me sell to senior management and then implement as a "secure" system. Many of our security systems are designed for the past and not for the present and the future. This blog will focus on one portion of what I see as the future for security i.e. the need to create an integrated logical/physical incident response system.

Today, in most enterprises, there is the IT security ops system and the physical security ops systems operating separately. This is folly for monitoring combined attacks that occur on the physical and logical systems. An enterprise needs to detect as fast as possible an attack and then take action.

Part of the challenge is figuring out if an attack is an attack. When a network, database, application or content management anomaly is detected, this quickly needs to be tied the identity who is actioning it. In turn, the identity physically has to be located or the IP port that the anomaly is coming from. This means quickly auditing backwards to see which facility, doors, rooms and cubicles the identity or network port is at. Then one can begin to draw conclusions if an attack is in progress or, if it is a workers doing their job with an unusual task.

More than 10 years ago, while I was working under contract at Oblix in California, I had a vision. I saw in my mind an integrated physical and logical security system. There would be a three dimensional map of the planet indicating where an external attack was coming from that would then be displayed against the logical network, databases and applications. Overlaid on this would be a three dimensional display of the physical enterprise.

An incident management person would quickly be able to determine where a logical attack was coming from and then, if there was a physical component, see what rooms or physical network ports were involved. Today, with the advent of good IP based cameras, my vision would expand to allow the incident manager to see if there was any entry to the room, floor or building, look for door adjar and other present or past warnings, quickly go back in time to see who had accessed the area and then to draw conclusions.

This might lead to sending a physical security guard out to inspect or intercept, shutting down logical access, doing nothing but escalating this to senior management while a watch was kept up or many different other actions.

At the time I had my vision, all of this was simply a dream since there was no way to get the log files in real time from all the many different perimeter defenses, physical security systems, applications, databases, identity and access management systems etc. Today, however, it is definitely possible.

Companies like ArcSight and other Security Information Management (SIM) vendors can collect and process many log files in real time. Using products like Quantum Secure it's possible to integrate disparate physical access control (PAC) vendors monitoring and run this to a central location. So, getting the information to a central point is no longer the main obstacle.

Creating the interface is now possible. Recently I saw a short clip taken from a US government sponsored system that shows, in three dimensions, the planet and attacks happening in real time on the perimeter defenses and the internal key apps, infrastructure, databases, etc. So this is now possible.

What remains is to:
* Stitch this all together with an overlay of the physical enterprise
* Then the hard part if creating the incident management logic

I believe the incident management logic will evolve over the next several years. It can be quite complicated. The first thing to do is to create mostly manual based systems where the security ops incident management person/team can draw their own conclusions and then act. Over time, parts of this will, in my own personal opinion, be automated.

I am looking for enterprises who are early adopters and vendors to work with to create my vision. If you're interested, please contact me.

Regards,
Guy

Sharon Watson, from Security Squared, recently interviewed me for an article she was writing on security convergence "One person, one identity, one credential". She then published an edited version of our interview "Real World Physical-Logical Identity and Access Management". This is a good overview on my views and experiences on physical and logical security integration.

Regards,
Guy

This blog will focus on what I would do if I was a large physical security vendor.

1. Get all my PAC products to meet LDAP, SPML and XACML protocols.
This enables the products to easily interconnect with any of the logical identity and access management products. Most are now LDAP (Lightweight Directory Access Protocol) enabling communication between the enterprise directory and the PAC.

Recently at Toronto Hydro, they are in the test phase of implementing SPML (Service Provisioning Markup Language) for one of the Tyco companies PAC's - Intercon. I think this is the first PAC product to do this. (If I"m wrong email me and I'll update this blog). This is an open protocol that enables provisioning and deprovisioning of the PAC by the enterprise identity management system.

XACML (eXtensible Access Control Markup Language) is the ability for an identity management system to provide authentication for a PAC access. It's another open protocol just now being deployed in most identity management products.

By doing this, the PAC vendor gives more reasons to the enterprise to buy their products or to keep them there as the enterprise takes a global integrated view of physical and logical security.

2. Acquire SIM (Security Information Management) vendors and begin developing integrated physical/logical access incident management systems. This is the first of my four acquire recommendations. Physical access control vendors need to morph into access control vendors as the markets between logical and physical security converge. A smart physical vendor will see that by building the incident management system they can leverage their out-sourced services they already provide the enterprise re physical security. Otherwise, I believe that over time, their markets will degrade as other non-physical security vendors take over more and more of existing PAC service functions.

3. Acquire identity and access management vendors. The large Fortune 500 enterprises have already standardized their identity and access management on vendors like Oracle, IBM and others. The physical access control vendors will have to play nice with these (recommendation #1). However, there is the huge market of the Fortune 5000 companies that don't have identity and access management. By acquiring identity and access management vendors like Novell and others, the PAC vendors can leverage their security position to sell identity and access management solutions to the their clients.

4. Buy Quantum Secure before Oracle, IBM or SAP does. They are the market leader at the moment in integrating PACs of different types together. It is my own personal view that if the PAC vendors don't get with it quickly, someone like Oracle, IBM, SAP, Microsoft or Cisco will acquire Quantum and begin to eat the PAC vendor's lunch.

5. Sell solutions and build up a larger consulting portion of the PAC business. Selling hardware is not going to be the way to maintain healthy margins over the next 3-7 years. PAC vendors need to begin building up a strong, knowledgeable physical/logical security practice. This won't be easy since very few enterprises and individuals have the skills sets. I would likely buy up some identity and access management consulting firms and then train them in physical security integrations.

6. Retrain the existing PAC sales staff. Many of the PAC sales people are not very IT savvy. As the decision makes begin to become CSO's, CIO's and VP IT's, this means that the sales staff not only needs to know about what world they're entering but also to begin calling on these folks.

It is still very early days in the physical/logical convergence market. Getting a strategy in place now and beginning execution is much better than losing market share 2-3 years from now to what I call the future new competitors such as Cisco, Oracle, SAP, etc and then having to play catch up.

Regards,
Guy

In today's complex digital world, security is very complex. There are numerous attack vectors into and within an enterprise physical and logically. I have found that explaining security to senior non-IT managers and Board members is tough. While they want to understand, many get lost in all the terminology, can't begin to understand the thousands of different roles, their privileges, how they're terminated, etc. Their eyes often begin to glaze over.

Ten years ago, while I was working at Oblix, I was thinking about it. I told my friend Derek Small my visions, one of which this blog will dive into, namely how to convey security and risk to senior managers and Board members.

I told Derek that one day ERP vendors would own the identity and almost all of the security space. I then said that they would develop ERP "risk" modules. The risk module would determine business, content, intellectual property and physical risk. From this, the risk module would then set the security privileges for physical, logical and content access together with the ERP access control and content management modules.

Then I went on to describe to Derek how complex security information would be explained to senior managers and board members. Using the approach that a picture is worth a thousand words, I explained how a three dimensional image would depict the enterprise physically, The executives could zoom in an see a particular facility. They would see red, yellow, blue and green color areas depicting critical, high, medium and low risk.

Then they could overlay on this the logical security. They would be able to see logical security color coded as well. By examining this they could see where there was combination of risk physically and logically. They could then see which roles had access to the critical and high risk areas. They could apply an authentication risk chart to their high and critical risk areas and determine if there was a need to strengthen identity and application authentication security.

My thinking was that by graphically depicting this, executives and board members would begin to understand how their security dollars were being spent and make more informed decisions.

Ten years later I am seeing the early days of my vision begin to unfold. Alert Enterprise! is releasing a series of products that work with SAP to display risk and integrate physical and logical security together.

This is still early days in the marketplace. I predict that over the next five years there will be a variety of new products that begin to deliver what I had in my vision.

Regards,
Guy

How many vendors of physical and logical security are talking about providing your enterprise with different authentication mechanisms. They talk about HID cards with "multi-factor" authentication, "biometrics", "digital certs", "RSA tokens", etc. All of which is supposed to better protect the enterprise...right? Well maybe not. That's what this blog is going to discuss.

I am going to use an old analogy of putting the cart before the horse and not getting anywhere until the horse is in front of the cart. The cart in this analogy is the many different authentication mechanisms. While each vendor emphasizes one, tow or three different authentication mechanisms, the focus is all on the technology and not on risk, different degrees of risk and having a way to measure this against authentication. This is the horse.

Many large Fortune 500 enterprises I have dealt with had no overall enterprise risk assessment done for all physical locations, their logical infrastructure and their content. They had pieces of this done. Where the risk assessment was done it was silo-ized. The people who did it were usually separate from the people who were applying the security. The risk wasn't measured against authentication.

When I consult with my clients, one of the first thing I go hunting for is enterprise risk assessments and where they don't exist, I then create them. While there are different ways of measuring risk, in the end, we usually come up with ratings for physical, logical and content security as critical, high, medium and low.

In parallel to the risk assessment efforts, I then begin to develop an enterprise authentication risk chart. I get the enterprise to create a chart where "0" is no trust at all in the authentication of the identity and "100" is absolute certainty the identity is who they claim to be.

The next step is to then apply numerical measurement against different types of authentication. For example, uid and passwords is the most common form of logical authentication and also one of the least secure methods. I normally rate this a score of "15". Then we go up the numerical ladder rating different methods and combination's of methods.

Note that I educate my clients on the many, many types of authentication. Just because you are using a "biometric" doesn't necessarily mean that it is good. "A biometric is NOT A SECRET" as Bob Blakely from Burton Group has repeatedly made in his numerous presentations over the years. Nor is a "finger scan" the same as a "digital fingerprint" or an "iris scan" etc. Likewise, having a token in one's possession, like a proximity security badge, is also not that strong assertion that the identity holding it is the one who it claims to be.

I get my clients to agree on numerical points where we can then relate this to "zones of trust" i.e. our enterprise risk assessment. For example, we might say that score of 15 or less is acceptable for our low risk zones. 30 is the beginning of our medium risk zone, 60 is the beginning of our high risk zone and 85-90 is the beginning of our high risk zone.

This chart allows us to then add in new methods of authentication as they become available in the future. It allows for different combinations to be used. It gets the clients head out of the authentication "vendor sands" and allows them to see risk applied to authentication in a measured way.

We then create logical rules requiring certain minimum scores in order to enter or gain logical access to the zones of trust. In the future, as some of my recent blogs indicate, I think that more and more risk assessment will be done in the ERP and then enforced by ERP access control modules.

Don't allow your enterprise to be swayed by vendors pitching one authentication method against another. Too many IT and physical security people only have a limited knowledge of authentication. They mouth the words but don't understand the underlying risk, nor do they have a enterprise tool to measure risk against. The cart is trying to drive the horse.

Regards,
Guy

This blog will focus on three protocols that PSIM (Physical Security Information Management) and PACS (Physical Access Control) vendors must adopt if I was a customer looking for a new PAC system or wanting to integrate my existing PAC with my enterprise identity and access management (IAM) system:
* LDAP
* SPML
* XACML

Why?

As the planet digitizes, there is an ongoing convergence of physical and logical security which my previous blogs have explored and which I have implemented on two prior occasions. Using open protocols means that instead of writing unique API's (Application Programming Interfaces) for the PAC products for each identity and access management vendor, integration can be easily and cost effectively achieved by adopting open protocols.

As indicated above there are three protocols that PACS need to write into their code kits:

LDAP (Lightweight Directory Access Protocol) is already implemented in many PACS. This enables the enterprise directory (which contains the most current state of enterprise identities) to interface with the PACS. At Capital One in the mid 2000's my team wrote LDAP scripts to on and off board identities from enterprise directory to the Lenel PAC we had standardized on.

SPML (Service Provisioning Markup Language) is an open protocol that enables enterprise identity management provisioning services to automatically on and off board identities in PACS. At Toronto Hydro, my team is currently in the test phase of deploying SPML with Tyco's Intercon PAC. I explained to the Intercon team in my first meetings with them that using SPML was the obvious choice to having to write and maintain unique API's to the numerous identity and access management vendors' provisioning products. Instead, they would simply write and test the SPML interface once and then easily allow their customers to integrate with the identity provisioning service of whichever provisioning product they were using since almost all provisioning products are becoming SPML compliant.

XACML (eXtensible Access Control Markup Language) is a new open protocol that allows other systems to make access control decisions. It is conceivable that some enterprises will want their enterprise identity and access management system to make the decisions of who can get in the door. However, at Toronto Hydro, I decided to not do this immediately. There are also cons to this approach.

The enterprise identity and access management system network connectivity may be down or slow. As hundreds or thousands of people try to access certain doors at peak times, any slowdown will not be well received by the identities trying to get in or out of the door. I was planning in later releases to deploy a limited XACML where the vendor would build code that if the network connection was fine, it would accept XACML from the IAM system but, if the system response was too slow, it would revert to the PAC's own database.

In the future, I can see many variations on this. For high or critical security zones, the enterprise might want to use XACML and have the IAM system do the authentication and authorization decisions for certain physical access but decide to use the PAC's own database for medium or low security zone access, etc.

If I was a PAC customer, this is what I would demand of my PAC vendors to even get on the bid list. I would be aiming at easy integration of the selected PAC with my enterprise IAM systems. "With it" PAC vendors will quickly adopt and retrofit their PAC offerings with this if they want to continue to be successful in the future.

Regards,
Guy

A couple of weeks ago, while reading over some comments on LinkedIn, I was chuckling to myself. One person was saying that we had had SSO, Provisioning and Federation and now was waiting (read bored) for the next great thing to come onto the horizon. This blog will focus on the horizon.

The message from me to readers on message boards like LinkedIn is to wake up and smell the coffee. Having more new tools isn't going to make a revolution. Figuring out how to take the tools and apply them to the mass market, now that's a revolution.

Over the past decade, most large Fortune 500 enterprises have adopted some form of identity management. We are now in the wave of the Fortune 2000 type enterprises adopting identity management. This includes utilities, municipal , state and federal governments, etc. All of which makes for the beginning of the fat portion of a bell shaped adoption curve.

The challenge is figuring out how to get the tens of thousands and hundred of thousands of small businesses in each country to partake in identity management. Now that's a revolution when it occurs.

However, like all revolutions, making this occur isn't easy. You can't take people like me, who charge and make all kinds of money, and companies like Oracle and IBM to go into a small mom and pop store and bill them to implement identity management. They would likely tell people like us to "piss off".

First of all, why should they even care about identity management. Looking down the road, I see several reasons why:
* Federation with other manufacturers - a lot of industry today has parts and components made in very small companies which are then integrated into larger components. The ability for a company, their application (like CAD/CAM) or a worker to instantly log on and interact with other companies applications, inventory management, shipping, billing and finance requires streamlined, simple, identity management.
* Services with clients and customers - the same as above also applies to the service industry. As larger enterprises out-source much of their non-core services to small businesses, it requires the ability to authenticate, authorize and audit sessions on different enterprise systems. Again, all of this requires simple, streamlined identity management.
* Government - as more and more government services become digital, it will help the company and its workers in being able to quickly and seamlessly interact with the government services. Again, some form of identity management is required.

Most small enterprises are not going to know anything about identity management. To them it will simply be a service/toolkit. Here's how I envision this to occur over the next ten years:

1. Cloud and Payroll/Contract as a Service - many of the small business computing will be done in a cloud environment and/or using out-sourced, inexpensive services. It's much easier for the business to support. As things like payroll gets put into the cloud, in a low cost, easy to use way, then I see opportunities opening up for identity.
2. The authoritative source for identities in most enterprises is the payroll or contract system. Once small enterprises begin to adopt cloud and payroll/contract as a service offering, then identity providers can quickly take advantage. They can tie into the services, in pre-determined ways, using tools like virtual directories to quickly create enterprise directories and identity management systems. The companies who will offer this service will be new start-ups and, I believe over time, financial institutions.
3. Federation - the small business will sign contracts with their identity providers determining who gets hit financially and legally, when a identity federation goes wrong. Over time, I believe that the vast majority of this will become main stream (but certainly not overnight!). With the contract, the identity third party will act as the "middle-person" and federate the identities between the small business and their suppliers, customers, etc.
4. De-provisioning - one of the many problems in all businesses is ensuring that an identity's privileges are quickly removed when the identity is terminated or goes through a role change. By tying the identity to the paycheck, I believe that this will solve much but not all of the small business provisioning problems. When an identity is no longer getting paid, the identity management third party will automatically terminate access rights.

I don't mean in the above, to simply gloss over all the many, many challenges in creating this. However, it is the application of the existing technologies in new ways that will create a huge uplift in identity management. This includes wrestling with all the legal and liability challenges. It also must address the numerous security issues in cloud computing.

The identity management I'm talking about is more of a service than a large suite of software installed in the small business. Like all revolutions, it will take many efforts, some successful and some not. However, there is a big change coming. Vendors and consultants would be wise to think about this in new ways of applying their technology instead of waiting for some thing new that is going to keep them employed.

Regards,
Guy

Over a coffee a few weeks ago with a banker, she commented on the poor tools used to validate bank customer identities. I then told her about a column I had written two years ago on identity verification and which I will review here since what I said back then still applies.

In today's digital world and planet that can be traversed by air in 24 hours by commercial planes, there are many challenges in validating identities. I personally believe that the next 20 years are going to see even more pressure on validating identities as human clones come into existence.

In the past, much identity validation could be done based on someone attesting for you. This is the foundation upon which notary acts and notaries are based. In the digital world, I believe that digital notaries will become common place over the next decade. For many legal and commercial transactions, having a person attest that you are who you are is enough. But, this doesn't cover what is coming at us in the future.

As human cloning comes onto our radar screens along with genetic engineering, I predict that there will be many new situations arising for which our existing identity validation techniques will not suffice. It will become a necessity in many situations to biologically validate one identity from another.

Whether you agree with me or not, then there is the existing poor identity validation tools in place that the banker I had coffee with referred to. She was referring to the driver's licenses, birth certificates and passports they currently use.

All of these identity validation techniques use paper. It is not hard to get a SSN/SIN number and then to get a driver's license and then to get a passport for a person who is not the real identity presenting themselves at the government counters. The pieces of paper they issue don't really validate the person biologically presenting themselves. Instead, they are weak forms of attestation that an identity is whom they claim to be. In turn, financial institutions then rely upon these pieces of paper as ways of legally defining their customers.

Add to this the current situation of people searching your identity online. In today's world, you have no idea when your name is searched online. This works for many legal and marketing companies but it erodes an identity's privacy. How can an identity preserve their privacy in today's world?

I can see the general direction of the answer. In my paper "The Challenges With Identity Verification" I laid out a general plan to take DNA samples from an identity when they are born. This would be digitally stored in a central birth, name and death registry. Next, I said that anyone doing a name search would require the identity's permission to do so (with some judicially approved exceptions). This would then bring the identity some form of privacy that they don't have now.

Many people took issue with my paper. They said it was "big brother". The fact that your DNA is falling off you every second didn't persuade folks from arguing what would the government do with this?

Others made more valuable points. Some pointed out that DNA wasn't enough to differentiate identical twins. Others pointed out that DNA techniques were not 100% effective in differentiating identities.

Sir Alex Jeffries, the founder of DNA analysis for identifying humans, agreed with my general strategy.

I am not an expert but I can see the future. It involves using biologically determinants taken when an identity is born and then using best science to create a digital national and international birth, name and death registry with strict restrictions over who can do a search on you. Something that today is not hard to do and over which you the identity have no control.

This registry then becomes the foundation upon which other government credentials are issued.

Then new laws need to be created over the use, storage and retention of biometrical authentication used elsewhere in the workplace and for entrance to logical and physical areas. There are few laws in existence today that protect an identity. How do you know that a biometric finger scan you gave seven years ago, is destroyed after you left your employer? What legal safeguards do you have to protect you?

The world is dramatically changing. Our methods of identity validation also need to evolve.

Regards,
Guy

Many large enterprises have deployed single sign on (SSO). As many of the early adopters found out the hard way, SSO creates a single point of enterprise failure. If SSO goes down, so too do all applications that are protected by SSO.

Many SSO implementers (whom I call the "technoids"), think they have addressed this by having hot failovers. In other words, if an SSO server or groups of servers goes down, the SSO system automatically fails over to another site of servers. While this is a good idea, it doesn't prevent a catastrophe from happening, which is the subject of this blog.

When a user is using web based single sign on, to first of all understand the complexities, you need to follow the flow of electrons. The electrons flow from the browser, through the network, to the application and it's servers where the signal is intercepted and then redirected, usually through load balancers, through to the identity and access management subnets and their internal firewalls, to access servers and on to LDAP directories and/or databases, then back to the client and onwards to the application and it's servers.That's a large portion of the IT infrastructure network.

Most SSO systems are required to operate at 99.999% availability or even higher. This means that:
* All pieces of the route the electrons flow through need to be continuously monitored independently and as a system by using authentication scripts
* The monitoring needs to interact with some logic determining if level of incident
* The incident management system must then automatically be started and escalate differently depending on the criticaliy of the developing incident
* A central command console needs to be implemented instantly displaying all the monitoring and incident management events
* A central security ops team needs to make instant decisions and be able to down, restart and isolate certain servers and/or networks and/or databases and/or directories

All oh which needs to happen in seconds and minutes. The system can never go down.

It has been my extensive experience that most enterprises wander into this not comprehending the enterprise risk and thinking that simply by having the servers as hot failovers that all will be well. When the systems go down through to failure of one part of the access management infrastructure noted above or, due to a lack of fast, well thought out coordianted response, then all hell breaks loose. I have seen the CEO on the phone overy 30 minutes for several hours demanding to know when their enterprise will become digitally unstuck from SSO failure.

If you are embarking on a large SSO and/or provisioning project, then pay heed to what I have written above. In large enterprises, some of the hidden logs lurking beneath the SSO/Provisioning waters not normally told you by your consultants are:

1. Implementation of a wide monitoring campaign for all parts of your network and infrastructure.
2. Long time lines to integrate the monitoring software with logic that will differentiate events. For example, if one access server goes down, the event may trigger an email to the on-duty security ops team requiring them to fix it over the next 12 hours. However, if two access servers goes down (or one quickly followed by another), then the logic must be to rapidly escalate this up the ladder, have secuity ops people in the middle of the night logging on within a few minutes, etc.

Integrating the monitoring, with the incident management and IT ticketing systems all takes lots of time. All of which, I have found usually takes several months to prepare for.

3. IT reorgs - When you're operating a five or six nines availability system, you don't have time to call up Jane or John in networks, then call over to database support, etc, to determine what to do about a problem. Very frequently, I have re-org'd the IT support infrastructure such that there is one security ops team that is well cross-trained on networks, load balancers, firewalls, access servers, database servers, directory servers, etc. They have only seconds and minutes to make critical decisions.

Enterprises can learn from other's past mistakes and avoid having the CEO on the phone every 30 minutes demanding to have their enterprise back on line.

Regards,
Guy

Over the past two years, there has been a significant increase in the use of biometrics for authentication. It is becoming more commonly used to purchase groceries, to gain access to physical premises, passing through passport control and for logging on to computers. There are some dangers with this trend and that's what this blog discusses.

First of all, a biometric is no secret. It's a piece of who you are. Therefore, the use of biometrics to authenticate an identity poses risk to the identity if their biometric is stolen. What are you going to do if your digital finger scans or prints are stolen? Relying solely on a biometric for authentication is therefore not recommended especially in instances where the identity is in one physical place and digitally logging on to access something that is held elsewhere,

There is also the issue of privacy. Let's say that the enterprise you work for uses a fingerscan to gain access to certain facility areas of the enterprise. You leave the enterprise. What current legal requirements are there on the enterprise to remove the digital fingerscan registration from their databases? In most countries currently....none. What happens to the identity when the database is broken into in the future and the data is compromised? Will the identity even be notified that the database has been compromised? In most cases currently, no.

I think that technology is moving far faster ahead of our current state, national and international laws. The identities need to know that when they givve up a portion of who they are to authenticate, that they can be sure that the identity data will not be mis-used and when they terminate or express to a commercial use to desist using their biometric (like for a grocery store checkout) will be deleted.

Regards,
Guy

Sitting here at this year's Burton Catalyst conference, I am very excited about the future of identity management. This blog will focus on identity management becoming adopted by the millions of small and medium businesses around the planet...without them knowing about it!

Here at Catalyst I sit surrounded by identity management gurus and its faithful. However, if you stand back and look at who's attending this conference every year, it's what I call the Fortune 1000-2000 crowd. The attendees are focused on implementing identity management for large enterprises. The vendors are equally focused on doing the same. But I can smell change in the air.

Millions of small and medium businesses don't even know the words identity management, nor would they care to. Their interest is in producing goods and services that earn them their incomes. So how will they adopt identity management?

Sitting here listening to the cloud computing presentations, I think that most folks are missing the true revolution of cloud computing. It isn't the Fortune 2000 who are going to become the biggest adopters quickly...it will be the small businesses.

Most enterprises are 1-100 employees. Most don't have IT folks and if they do, they surely aren't trained in identity management.

I believe that most of these enterprises will quickly embrace cloud computing because it offloads the complexity of IT on to others who can manage it for them. Take for example, my friend Derek Small's company, Nulli Secundus.

Nulli is one of the planet's pre-eminent identity management consulting companies. With a staff under 50, they are a small boutique business filled with "geeks" or what I jokingly tell Derek is his company of "plumbers". However, over the last two years, Derek has moved his company to using most of their IT functions into the cloud. It cut's their costs, simplifies their infrastructure requirements and is reachable from anywhere on the planet where they are working.

Derek's company is doing what most other small companies are going to do. They will use software as a service models, with payroll, email, "office suite", accounting, marketing and over time manufacturing software, being run from the cloud. These businesses don't have the "deep roots" challenges that the opening presentation on cloud described this morning elucidating the problems that large IT depts would face in migrating their functions to the cloud.

Small businesses will see, exactly as Derek's company did, the business opportunities of using cloud and software as a service and very quickly port over.

When this happens, it opens up all sorts of new ways of doing things for the business. I predict that quickly banks, telco's and payroll companies will begin to maneuver to become the trusted identity hub for these small and medium businesses. They will use tools like virtual directories to take the identity information from the payroll system and then be able to do authentications and federation services for the small businesses.

Companies like Ping Identity and Fugen are poised for rapid growth in my own opinion. Why?

Ping just announced partnership with Google. It's Ping connect product enables enterprise to quickly build connectors and conduct federation. Their product fits well with my vision of small businesses quickly federating.

Fugen is a company that I will describe in my next blog. They are key to the ability to create "federation factories" focusing on the business processes and tools requied.

I predict that over the next two to three years, hundreds of thousands and millions of small businesses will begin to use identity management without knowing it. They will authenticate, be provisioned and deprovisioned and federate as required...all done as a service and not broken out as stand alone products.

It's the beginning of identity for the unwashed. Let the revolution begin!

Regards,
Guy