Giving a Guest Lecture at GMU

As part of the coursework for ISA 562 - students have to do a XACML project (20% of grade). I am totally excited about being invited to give a guest lecture on XACML and ABAC to the 50+ students in this class. It is going to be fun!! I will also cover 5 sample XACML projects - one in Health Care, one in eGov, one in Edu, one in Telco and one in E-Biz. Plus 5 reference papers -one for each project.

Disclosure, Deception and Disruption

The main textbook covered in the ISA 562 course is this excellent book written by Matt Bishop. In the very 1st chapter he covers the three main areas of security in terms of Confidentiality, Integrity & Availability (CIA) and how they are threatened by Disclosure (such as snooping, wiretapping, etc.), Deception (spoofing, masquerading, etc.) and Disruption (DOS attacks, Delay attacks, etc) - threat techniques. We have so far covered the 1st chapter, Access Control Matrix, Take-Grant Models, RBAC, XACML and other policy topics in class (+ 2 home works and one exam). This Book is a must for all Security Professionals (and course).

Insights into Innovations for Telco's

Bhaskar Gorti delivering a Keynote & having a chat at OOW. Focusing on Comms, Media and Entertainment for more than a decade now, I like the idea of Identity, Policy, Context enabled (Communication embedded) Business Processes and Workflows - Context will drive a number of innovation Apps and Services from a Carrier Cloud!!

Federal Identity Interop and Initiatives

Excellent Agenda at the Annual Smart Cards in Government event, to be held next week. Includes NIST, FIPS, ISO/IEC, Trust Levels in AuthN, Kantara, and many more.. Great opportunity if you are local!!

Attribute Authority Appliances

The first part of this week I watched majority of the Oracle Open World Keynotes (including Larry Ellison, Scott Mcnealy, Thomas Kurian, S. Gopalkrishnan (CEO Infosys) and many others). There were a number of fantastic news:

• Continued Commitment to Sun Technologies
• World record TPC-C benchmarks on Oracle Sun/DB appliance
  
• Communication enabled Business Processes
• The 10 million dollar challenge
• Oracle Enterprise Manager updates

This new DB appliance is directly relevant for many projects that are building Attribute Authorities (which augment AuthN and AuthZ Authorities in Federated Systems), for its superior performance and throughput achieved. Other than direct Identity Centric Attributes, there are many Industry Specific Attribute Authorities that need to federate Attributes (such as the mobile or telecom industry, enterprises in health care, finance, education, govt, etc., social networks and more..). We are working on multiple OpenSSO projects where the ID repository plug-in is used to connect to MySQL and Oracle Databases to federate appropriate attributes for the appropriate context (in conjunction with a XACML entitlement engine that enforces the respective policies). There is a whole set of amazing technology behind this appliance.

I also saw the demo of business processes that spanned HR, CRM, Supply Chain, wherein Identity enabled Communications was embedded into these services as part of the demo (which I thought was cool). Remember every call, connection and collaboration is made for a context.

Carrier Network & Corporate Network Context

This perspective of adding ABAC (conditions and constraints) to an already implemented RBAC project is exactly what we are doing with an Enterprise (a large financial institution) that is taking it's home grown Industry specific applications (originally written for the client server model and later to the web) to the Mobile world with the help of a specific Wireless Carrier and Sun's Mobile Enterprise Platform. Existing RBAC implementation is augmented with ABAC (Aligning the Enterprise Context with the Mobility Context) so these mobile apps can now be delivered by adhering to the different policy domains (privacy policies, QOS policies and more) and leveraging the appropriate context.

RBAC0, RBAC1, RBAC2 & RBAC3

Our last lecture at GMU was all about RBAC. I've always known that there were several iterations of RBAC from RBAC0 to RBAC3 -- with Role Hierarchy and Constraints, yet I got more clarity in terms of its developments after the lecture. RBAC0 was the base model, RBAC1 had role hierarchies and RBAC2 had constraints ( in parallel paths), RBAC3 combined both hierarchies and constraints together. It should be noted that XACML as an Attribute Based Access Control (ABAC) model also incorporates RBAC. We could have a RBAC based PDP within an Enterprise that gets its conditions and constraints (attributes) from a XACML PDP, unique to each authenticated session. Of course there is more to Role Management than just AC, it is intertwined with your business processes, IT processes, provisioning and more. We need the Cars, Trains and the Planes and Boats.. BTW: My good friend Babak from Axiomatic's emailed me about this webinar tomorrow.

Keeping a tab on my Keynotes and Key Patents

I will revisit this blog entry as I make progress with new Keynotes and Patents (on behalf of Sun Microsystems). There are 2 more patent apps and 3/4 more keynotes planned (2010):

Patents:

• Technology Architecture Patent (SOA, SAN, ACA, etc.)
  
• Container Alignment Engine (ID&Attr driven Alignment)
• App Infrastructure Sec Techniques (Aligned with IDS)
• Correlated ID Context for Vertical Integration (Defensive Disclosure)
  

Keynotes:

• ICEM2 -- Bangalore 2007 - International Conference on Embedded Mobile Communication and Computing. Title: "Identity and Security for NGN"
• SOA Telecom -- Paris 2007 - Service Oriented Architecture for Telecom. Title: "ICA Aligning SOA and NGN"
• IDTrust -- DC 2008 - OASIS Symposium on Identity and Trust. Title: "Identity and Policy for Security, Trust and Privacy"
• NetID -- Berlin 2009 -- Identity, Trust, Privacy and Security in Europe. Title: "Identity and Context"
• DIM -- Chicago 2009 -- ACM Digital Identity Management. Title: "Identity and Context for a Changing World"

Other Significant ones:

Open Group SOA -- Houston 2005 - Aligning Architectural Approaches (WS Incite Award)
Open Group IDM -- SFO 2005 - Identity enabled Network (Trailbalzer Award)
Open Group ADM -- Barcelona 2006 - Aligning ADM and ADDM (SEI Award)
OASIS ID Workshop -- London 2008 - Embedding ID Policy (Above & Beyond Award)
Liberty Alliance WC -- Web 2007 & 08 -- ID Sec and ID Policy (webcast audio)

ID Proofing, ID Verification & ID Credentialing

Anakam is one of the OpenSSO and Sun IDM ISV partner who has integrated their Solution Set around proofing, vetting/verification, credentialing, etc., very relevant for a lot of eGov initiative (as part of the Registration and Provisioning processes involved in a project). A topic I will cover at the IDM event along with Badri Sriraman, Chief Architect & Development Manager, Identity & Credentialing, from Unisys, in a few weeks. Brent Williams (CTO) of Anakam will also present at the event.

Cheng on Client Context based Authentication

It is one thing to support multiple Authentication Context (such as SmartCard and Mobile Contract) and another thing to support multiple AuthN types (such as Role based and Realm based). There could be rules that also take into account the client context information such as IP Address, IP Address ranges, private and public IP addresses, client environment (browser, iphone), device type and more. We are working on a POC that does exactly that for a customer who takes the client context into account for the authentication mechanism to use and respectively deliver post authN rules based content. Excellent writeup, very timely and useful by Cheng and team.

Ten Tremendous and Terrific Years

I still remember the day I started at Sun 10 years ago in September 1999. Since starting at School in the Summer of 1990 to do my Masters at ODU, I had been working on Sparc Systems in the School Labs with what was known as SunOS. I was a hands on administrator fixing issues and managing a group of workstations. After graduating in 92 I landed up as a Systems Analyst (with limited programming work- perl, sed, awk, grep, etc), and then a Systems Administrator, later a DB Admin, and finally a Peoplesoft Architect, before joining Sun (approximately 2 years in each area- giving me the foundation to become a Systems/IT Architect). My boss in my previous job asked me -- if you had a choice of picking your Company, who would you go work for (since I landed up with my permanent residency and was about to complete the 4 year program/contract with them). Instantly my answer was Sun Microsystems, and voila I was part of the company with Ray Metzger as my 1st boss (in Sun PS). The very 1st day at Sun, I get a call asking me to book a flt that night to Las Vegas -- the Advanced Internet Practice (under Dan Berg) was having a group meeting and I was asked to join them (my 1st trip to Vegas). This was at the hotel Paris (which was just inaugurated that Summer). The 1st 4+ years at Sun PS was awesome. I had fun doing projects for Telco's in Cananda, US and Latin America (including Mexico, Argentina and Brazil). Around the end of 2002 I decided to specialize (from generic IT/Systems Architect) in Identity related projects - since we had just released the 1st Identity Server product (based on the Liberty Alliance specs that came out in 2001). This was based on my new boss then (Ron Schmidt) recommendations and what Dr. James Baty mentioned in a CETC/CEC event in 2002. Luckily I worked on a 6 month PS project for a Wireless Company in Seattle (that was migrating from Odyssey 1 to 2 - the name of the Architecture Initiative), with an Oblix implementation for IDS and a SOA as the Target Architecture (one phenomenal project ). That helped me transition to Software Sales and Services working on projects (POC, pilots and proto-types) primarily focusing on the NEP market (such as Nortel, Cisco, Moto, Ericsson and Siemens). This exposure resulted in a bunch of papers I wrote around "Identity enabled Networks" - which was compiled into the 1st book in 2006 (also supported by Shawn Malaney my boss then). Between 05 and 09 I also acted as the Technology Lead (1st Telco and then for OpenSSO) primarily capturing Market requirements and relaying them to product engineering (at CEC/SEC meetings in Santa Clara). Since 2004/05 I started working with many ISV's (Bonsai, Pronto, Openwave, etc.) and Sun Telco customers as well (such as Verizon, AT&T, Telus Mobility, etc.).. moving on to publish this series of books, and getting more industry exposure (working with TMF coop on SSO, ITU-FG on IDM for NGN, Liberty Alliance ID Assurance programs, and more). In ten years I've had 5 managers (that includes Ken English plus Dennis Mastin) and all 5 of them were true leaders!! fully supporting and encouraging individuals like me.

Amazing ride, a royal ride from Paris in Vegas the 1st week at Sun to Rio in Vegas (for DIDW 09 and Kantara) next week (sept 14th - which happens to me my B'day as well).

I love this Company for 5 things unique to Sun;

1. A company that is brimming with technology Innovation and encourages innovation from all
2. A company that has been an Industry Leader in terms of inventions (Java, Niagara, SunSpot, etc.)
3. A management that believes in Instrumenting a culture of team work and fearless courage
4. Colleagues who are genuinely interested in working towards solving customer problems
5. and Last but not the Least a Corporate Culture to Give and Volunteer

I will cherish this Award, the Sun PIN and the Mongoose Bicycle (recognition award).. Similar to the thousands of employees who have completed 10 or more years.. We all got a lot from this company -- a productive atmosphere, training, exposure to high profile projects, visibility, and a solid amount of experience!

Sun is Shaping a Sustainable Future

I noticed this upcoming event on Corporate Culture and Ethics a few months back, a forum organized by IAHV (AOL sister organization) since I am a IAHV volunteer as well. As I'm completing 10 years at Sun Microsystems (next week), I nominated Sun Microsystem's (recently acquired by Oracle) & its chairman Scott McNealy - for their role played in corporate culture of volunteering and giving -- that has taken shape in the recent years based on a number of community programs that leverage Technology.

This culture is both top-down and bottom-up -- with support from Chairman of the company "Scott Mcnealy" and his pet project Curriki is an online environment created to support the development and free distribution of world-class educational materials to anyone who needs them, to many grass roots level folks such as Betsy Hansen and her work at horsepower along with many such volunteers. With an outstanding Business Conduct - Sun was named One of the Worlds most Ethical companies recently.

Sun's technology has been leveraged by many community based collaboration projects that aim to address issues and concerns around housing/shelter, education, transparency and more, such as; architecture for humanity a collaborative community based tool that helps design low cost homes for countries in Asia and Africa. This includes programs to address the world's hardest problems, including DATA (Debt, Aids, Trade, Africa), the ONE Campaign , Make Poverty History , Oxfam , Architecture for Humanity, and others.

Sun's worldwide volunteer week programs and digital divide programs have made tremendous impacts globally:
http://www.sun.com/aboutsun/foundation/init_employees.jsp
http://www.sun.com/aboutsun/foundation/volunteer_programs.jsp

Majority of the Sun employees and senior management I know are volunteering in one form or another -- especially since Sun as a Corporate entity works with its employees to pursue the goals of their choice -- one employee may be passionate about fighting cancer programs,
another about volunteering for digital divide, and so on -- and they may pursue those through their own community effort and with the support from Sun, Catalyzing the initiatives with their combined efforts..

As an employee who is completing 10 great years at Sun, and as Sun is celebrating 27 years - I wanted to share my experience and understanding of how Sun Creates this Culture of Volunteering --leveraging technology and community based tools. I got reminded about this today since I got an email about Sun's SAI!!

I hope Sun Microsystems as a corporate entity and Scott Mcnealy as the Chairman get to win this Award this year!! It will be a well deserved RECOGNITION!!

Sustained Spending on Sun Sparc and Solaris

I spoke to a few large Sun Telco shops..about this Advt. This is very good news for them. Also watch out for Niagara 3 (16 core 16 thread per core = 256 cpu threads)!! Ideal processor for large scale Identity Providers (who handle federation, authN, policies and context).

Secure Span for SOA Security

With the first cut of OpenSSO entitlement services released as part of an express release, one can easily see how existing implementations can leverage OpenSSO as a Policy Admin/Mgmt Point (PMP) and a PDP that integrates with multiple types of PEP's (such as run time policy enforcement engine from Layer 7) and other specialized PDP's. Very relevant for Cloud Computing Control. When everything eventually ends up in the clouds, IaaS, SaaS, PaaS, S(ec)aaS, and more -- policies in conjunction with attribute authorities aka PIP (SLA as well) becomes pervasive.

Complimentary Paper on Cloud Computing

Excellent Burton Group paper that introduces one to Cloud Computing; terminology used (SAAS, IAAS, PAAS, etc.,) similar to the paper by Cloud Security Alliance (more from a Security perspective), Cloud Business models, pricing models, benefits and issues. Infrastructure as a Service to me includes all layers of Infrastructure (including Software Infrastructure - such as JEE containers and Identity Servers). Majority of the focus should be on Cloud Service Security and Cloud Service Management (leveraging ITILv3 based approaches).

Cloud Application Architecture - Another Cloud Book

Other than Subra's book I plan to read through this one, by George Reese as well. Excellent series from ORielly.

Cloud Security - by Subra from Sun

New book authored by Sun Microsystem's employee Subra Kumaraswamy on the application level security requirements in the cloud computing context. Check it out!!