Thursday, December 18, 2008

Overarching Openet and OpenSSO

Overarching -- encompassing or linking all that is within its scope, range, etc. This is an apt definition when OpenSSO is integrated with multiple policy vendors implementations. We've done integration from one or two functional domains within the past (like aligning NAC and Device policies with Service policies, QOS/SLA policies with VM policies and more), however (since this is also covered in the book) I am looking forward to more end to end integration projects taking shape in the Telco space moving forward.

This week we had an excellent 2 day workshop with 3 folks from Sun (Tom Harris, Rajeev Angal and myself), and a team of system developers and designers implementing a Unified Communications solution (our customer) with federated identity (AuthN), federated policy (AuthZ) and federated context (Attributes) for an identity enabled, policy based, contextual communication and collaboration solution. Despite the fact that this system will have support for multiple communications protocols, SMTP, SMPP, XMPP, and more.. through http bindings, gateways and proxies all these services are integrated with a common IDS (we'll have a joint paper out soon).

These types of system also leverage policies; network facing-session specific PDP and PEP's (like the one from Openet), with Service (web service, web apps and content) facing PDP's (such as OpenSSO), and VM-resource facing PDP/PEP (such as FoxT) aligned with an Adaptable AuthN PDP (such as Arcot) and Combining/Obligatory PDP (such as Axciomatics). OpenSSO is the alignment engine -or one that is in between the end USER and the Service he/she is accessing, prior to which the user has to access the network, connect with the network and get admitted in (into respective service or enterprise networks), after which, based on services composed - appropriate VM (with the respective resource) is assigned within that session- based on SLA attributes for the user (or his/her role), so the services can be run accordingly.

I see a trend in the Telco's now deploying the Network facing PDP's (such as Telus, BT, Verizon and AT&T) who have also had OpenSSO from a service perspective for a while now, moving on to the VM PDP space. Its exciting to watch the execution of what was conceptualized and trialled in paper and POC's, into pilots and production by Telco's worldwide (primarily wireless operators). The pervasive policy paradigm is taking shape!!
Posted by at No comments: Links to this post
Labels:

Monday, December 15, 2008

Persona - not just a Partial Projection of one's Identity

I've always enjoyed Mark Dixon's blog Discovering Identity and his perspective on topics relating to Identity. Here is an interesting entry from Mark on Persona as a blend of Identity, Context and Preferences.. The more the insight into one's persona, the more the personalization is possible. Context on one hand is real time context and on the other hand is persistent and also transient. Hence through attributes we derive context - real time attributes (such as location, presence, device in use, and more) and persistent attributes (such as employed by, title or role in company/business, address, and more) plus transient (not real time and with short span of life - such as calendar, appointments, contact list, preferred next vacation location profiles, and more).. Hence we can classify and organize context areas, attribute specifics, persona profiles and more, in multiple dimensions, depending on the perspective we take. GREAT work Mark.
Posted by at 2 comments: Links to this post
Labels:

ACM Symposium on Access Control and IDM

Recently I had the pleasure of chairing a panel on Federation for Services at the ACM DIM 2008 event at GMU. The folks who organized this excellent event (Kenji Takahashi and team) also handed a CD with all the papers presented at this event.

As a lifelong member of ACM I am looking forward to another great upcoming event organized by ACM SACMAT 2009 (by Dr. James Joshi and team).

Topics to be covered includes;
  • Access control models and extensions
  • Access control requirements
  • Access control design methodology
  • Access control mechanisms, systems, and tools
  • Access control in distributed and mobile systems
  • Access control for innovative applications
  • Administration of access control policies
  • Delegation
  • Identity management
  • Policy/Role Engineering
  • Safety analysis and enforcement
  • Standards for access control
  • Trust management
  • Trust models
  • Theoretical foundations for access control
  • Usage control
This is the 14th such event which started as a RBAC workshop in 1995. Folks working on, products and projects that leverage;

eXtensible Access Control
Attribute based Access Control
Risk based Access Control
Role based Access Control
Context based Access Control
Resource based Access Control
Workflow based Access Control
OS/VM level Access Control
Data level Access Control
Trust based Access Control

are invited to submit papers by January 2009.
Posted by at No comments: Links to this post
Labels:

Sunday, December 14, 2008

Adaptive Authentication and Access Control

You've probably seen Sun's blog entries around the upcoming update to OpenSSO in 2009 that will include Entitlement Management. OpenSSO can also integrate with Arcot's Riskfort product for Adaptive AuthN, where historical data and contextual information is used for Risk Assessment and Risk Scoring, which is then used by Policies along with profiles and preferences for Adaptive AuthZ. In my "Identity and Context" book (the 3rd in the sequel -to be released in 2009), I will cover this topic in the introduction chapter, since its a great segway from policies to the context space. Context aware Security, is the basis for an Integrated Identity Infrastructure, when acting as a conduit for contextual composition of converged services. Risk factors, multiple AuthN mechanisms, fingerprinting/digital signing, unified threat management and policies all play a combined role for these systems.

For me Adaptation of both the Authentication rules and Access Control rules is made possible based on Risk, at a given point in time.

There are several hundred ways to Authenticate an entity today - from biometric, finger printing and voice to 4 factor, multi-channel and attribute based authentication (device id, location and more).

Similarly the Access Control rules can be a combination of rule sets -several hundreds of them -depending on contextual rules, anomaly rules, role based rules, resource specific rules, session specific rules (covers the mobility area) and more.

Both ought to adapt based on Risk for the given circumstance - threats detected in the NIDS (intrusion detection systems) such as pharming, phishing, MITM, DOS and session hijacking,
risks associated with the resource accessed, risks based on reputation of the user, risk level of the transaction performed, risks associated with non-repudiation, and more.

Aligning the two AuthN and AuthZ at real time based on risk scoring makes this an adaptable - context aware security system, not just relevant for the financials and banking sector but also for the mobile industry and any enterprise going mobile (with mobile payments, mobile apps and more). If we move in this direction similiar to the fact that we can consume any permutation and combination of services and content within a Session - on each occasion based on the context - the authN mechnism may vary.

This is happeining today with me - if I use my credit card at a gas station near my house I am ok, if I do the same in a remote area it asks for attributes such as last 4 digits of SSN, zip, last payment amount, etc. I register on a online site and I get a phone call to my mobile to validate the provisioning of my attributes. In one context the attribute required to authenticate was my last address (its been 10 years since I changed address) and very often these are attributes based on a question bank (city where son was born, year of marriage, favourite pets name and more).

Adaptation simply implies based on the time of day, your location, device in use, last transactions made, profile and preferences, and more -- the context -- the AuthN and AuthZ rules will vary. This is indeed a great way to go, especially for telco's that own certain attributes.
Posted by at No comments: Links to this post
Labels:

Tuesday, December 09, 2008

CCIS Commission on Cyberspace

Read the Report.. A clear indication of the importance of an integrated identity infrastructure for Security. We are rapidly moving towards a context aware security model where the Identity System performs its functions of AuthN, AuthZ, Session, Policy, Logging and more based on real time context (ABAC - attributes both identity attributes such as ID Assurance levels and Reputation Ratings and service attributes - device characteristics, location, and more) that includes current network events (threats and risk levels associated with the resource accessed within a session) and historical behaviours and anomalies seen.
Posted by at No comments: Links to this post
Labels:

8500 Billion Dollar Bailout reports Bloomberg

I was in SFO on the 26th of November and read the San Francisco Chronicle writeup on the $ figure involved in the Federal bailout. With this 8.5 trillion dollars and the planned Obama presidency spending on Infrastructure and Green Technology, we can definitely hope for a solid recovery moving forward (after a 10 trillion dollar stimulus package):


impacted industry;
Mortgage and Finance
Real Estate
Stock Markets
Retail
Manufacturing
Auto
Construction
Green Technology
Information Technology

This amount is more than the GDP of 5 countries combined in the top 10 GDP list (6 to 10).
Posted by at 1 comment: Links to this post
Labels:
Subscribe to: Posts (Atom)