Identity Driven Enterprise (Security) Architecture (IDEAs!!)

Thoughts on Token Technology Trends- No: 41

2012-01-28T21:45:00.000-08:00

This is a link to the presentation I gave to the Trust Elevation WG at OASIS, headed by Dr. Abbie Barbir. I might extend the time frame to post the reminder 59 thoughts around token trends (not within the 100 days) to late 2012.

Thoughts on Token Technology Trends- No: 40

2012-01-28T21:42:00.000-08:00

And also Microsoft supports a type of Access Tokens in its operating system.

Thoughts on Token Technology Trends- No: 39

2012-01-28T21:27:00.000-08:00

In the Data Tokenization space -- we need to go beyond simple data element tokenization (such as SS# and PAN) and leverage a Data Tokenization Platform such as the Intel Token Broker. The idea is to have a tokenized representation of all "data" resource - which includes a table, a db or directory. See the demo and read the papers. Such Data STS are also integrated into XACML based entitlement systems (such as Axiomatics and Oracle EM).

Thoughts on Token Technology Trends- No: 38

2012-01-28T21:21:00.000-08:00

Of course when you have major mainframe applications and mainframe batch jobs still in production, we need to extend the legacy RACF authentication of such legacy systems and specialized implementation such as eZtoken enables these tokenized representation.

Thoughts on Token Technology Trends- No: 37

2012-01-28T21:17:00.000-08:00

While OATH tokens are Authentication tokens we also have OAUTH tokens as access tokens. Amongst Access tokens we can have tokens such as an RBACtoken or a XrML token that offers tokenized representation of access privileges for a user. Very useful when access decisions are taken for multiple distributed resources and in collaboration with multiple access tokens.

Thoughts on Token Technology Trends- No: 36

2011-11-13T05:17:00.000-08:00

Another popular SAML token is the Web Service Security SAML token, which provides the capability to federate a Tokenized representation of a Web Service and the messages it contains. Majority of the STS (secure token services) support this profile, and it is very useful for XACML (policies) to inter-operate with WS-Policy as well. The WSS-SAML token acts as the identifier to align both policy space.

Thoughts on Token Technology Trends- No: 35

2011-11-13T05:07:00.000-08:00

Similar to the approach taken by the SPENGO effort in the past (negotiated authentication), OATH is another initiative that aligns a few Authentication methods and tokens, such as; Standalone OTP generators, Smart Cards, USB Key FOBs, Software tokens and Trusted Platform Module (TPM) tokens via client negotiated framework with STS (secure token services). The power of OATH token is that it is a framework that is token agnostic and authN mechanism agnostic, and that it will have commercial implementations via Ping STS and others. Therefore if you see a OATH token in a STS representing a subject - you can expect that it is negotiated with the client application or application type before it is generated.

Thoughts on Token Technology Trends- No: 34

2011-11-13T04:57:00.000-08:00

Integrating Tokens into a Map is one of the key functions of a STS (secure token service). STS can initiate tokens, translate tokens, transfer tokens, map tokens and more. Similar to how in the past we had a Kerberos Token aligned with a PKI token, we also have extensions of Kerberos token to the browser world (SSO token) via the SAML Kerberos WebSSO token. This is a very useful approach to authenticate applications (client applications and server applications) and can augment user level authentication and device authentication (such as OTP token and TPM token).

Thoughts on Token Technology Trends- No: 33

2011-11-12T08:28:00.000-08:00

Before we can delve into the various SAML token types (which are also referenced as SAML profiles) - its is also important to note that there are additional SSO tokens, such as OBtoken (Oblix tokens in Oracle Access Manager), SMtokens (Siteminder tokens), CDSSO tokens (Sun Java Systems Access Manager -now Oracle), TivoliAM token (IBM AM), WinSSO token (MS) and more. The past decade we have seen several thousand deployments of these software that are all part of the access manager space (not federation manager space that adds a SAML context for federation setup - primary function of an STS). Other than the OPenSSO project (which was a Sun Open Source project -that combined - Access Management, STS/Federation, Entitlement Management, etc., which is under Oracle now, I am not aware of any system that combines these areas together, unfortunately. They are treated as separate products.

Thoughts on Token Technology Trends- No: 32

2011-11-12T08:22:00.000-08:00

SWIFT for Secure Widespread Identifiers for Federated Telecom, has also created the notion of a SWIFT Token with an emphasis on Aligning Attribute Authorities around a SWIFT token. Since telecom operators own the Access Networks and can bootstrap a mobile devise into the Access Network as part of an Admission process, SWIFT tokens as virtual identifiers to align attribute authority can come in very useful.

Thoughts on Token Technology Trends- No: 31

2011-11-12T08:16:00.000-08:00

One of the Key Tokens that is leveraged by a Application and/or Browsers to NEGOTIATE an Authentication Mechanism with the back-end server is SPENGO token. A SPENGO Token, that can carry for example a Kerberos Token. Typical usage is an environment that needs negotiated authentication -when there is multiple authentication systems, SPENGO is used and is supported by majority of the Browser's including Google Chrome.

Thoughts on Token Technology Trends- No: 30

2011-11-08T18:18:00.000-08:00

One key differentiation between time based and event based OTP/Tokens (RSA Secure ID like systems are time based) - is that event based OTP tokens are also critical post-authentication - in session or in-transaction subject validation. These types of event token -- are extremely useful for context driven target rule sets, as a 2nd factor - contextual 2nd factor or 3rd factor. Note: Time, Event, USB, RFID, NFC and other related periphery tokens all-have influence over a device posture token and are all run time representation of a context (a set of attributes generated by a system post successful execution of a certain set of controls - in layer 1 to 7 of the OSI stack).

Thoughts on Token Technology Trends- No: 29

2011-11-08T18:12:00.000-08:00

One of the more commonly known and widespread usage of the term "tokens" is for the RSA secureid token. A device that generates a one time password - a "transient token" based on what you have and what you know "a PIN" - and can be augmented with axcionics like systems that add bio-metrics if needed. This is the type of token that increases the posture of a "subject: user + device"

Thoughts on Token Technology Trends- No: 28

2011-11-08T18:02:00.000-08:00

Another influencer of the posture token (in terms of periphery token) is the RFID tokens or tags (in conjunction with USN tokens and NFC tokens).

Thoughts on Token Technology Trends- No: 27

2011-11-08T17:59:00.000-08:00

Another such periphery token that can increase or decrease the integrity representing posture token is a USB token. Non-provisioned adhoc USB tokens generated will basically reduce the posture tokens attribute value representations. However since these USB tokens themselves can be used as (a pre provisioned initiating vector) secure storage of certificate/PKI, SIM, and other soft tokens - they can be added to the client device overall to increase the posture tokens attribute values.

Thoughts on Token Technology Trends- No: 26

2011-11-08T17:53:00.000-08:00

Related to Posture Tokens that act as a runtime representation of validated and verified integrity attributes about a device and its connection, the contiguity and continuity of the integrity posture is not a given. Depending on the context and use case (application) the device is running the posture token will be re-aligned. Influencers of such posture tokens about lets say a mobile device are additional periphery contexts also represented by tokens. One such token is an NFC token.

Thoughts on Token Technology Trends- No: 25

2011-11-08T15:21:00.000-08:00

In conjunction with external entity posture (such as client devices) the perimeter PDP can also produce a Network Threat Level Posture token - based on current Threats that are active. Trendmicro like systems generate such threat level tokens - it can range from the access networks a perimeter network connects to (such as a mobile network), the enterprise network and the SP network (cloud SP). These types of tokens adds another layer of Intelligence to measuring an Integrity Level of an end to end Client to Service Connection.

Thoughts on Token Technology Trends- No: 24

2011-11-08T15:13:00.000-08:00

Ultimately leveraging the path and packet tokenization and protocol and port tokenization - a comprehensive Perimeter PDP should generate Posture Tokens - that captures in Real Time the Integrity level of a device and its connection (client device and server device e2e). This in general should be generated post execution of all the control functions that are performed by; UTM -including Intrusion Detection and Prevention control functions, IP FW functions, VPN control functions, admission control functions, and more. The POSTURE TOKENS generated at Runtime is from a comprehensive combination perimeter PDP.

Thoughts on Token Technology Trends- No: 23

2011-11-08T15:03:00.000-08:00

Packet and Protocol Port (tokenized ports -NAT and PAT) firewalls (a farm of firewalls) generate path and packet tokens after protocol and port level rules are full enforced. This relates to Appliances such as Cisco ASA that sit on the Perimeter (DMZ) and functions a Packet FW, DPI, NAC, IDS/IPS and UTM all in one - concerted and co-ordinated to generate Posture Tokens -around the integrity of the device and the connection.

Thoughts on Token Technology Trends- No: 22

2011-11-08T14:56:00.000-08:00

Token ring was a protocol that leveraged packet tokenization, and with MPLS token buckets are heavily utilized as well. The insertion of tokens within IPv6 packets allows for a rich set of capabilities around identification, authN and authZ of packets as well. Packet tokens augment Path tokens and are combined with protocol tokens to determine (policy based) posture tokens.

Thoughts on Token Technology Trends- No: 21

2011-11-08T14:50:00.000-08:00

The next 10 entries will revoke around the topics of DMZ perimeter PDP and network tokens, such as Path Tokens, Packet Tokens, Protocol Token, Posture tokens and the likes that in essence helps validate the integrity of a network connection, network session, device connection (both client and server devices) and more. See a well written paper here.

Thoughts on Token Technology Trends- No: 20

2011-11-08T06:49:00.000-08:00

Along the lines of decoupling an Authentication Token from a STS SAML token, which is a key concept to digest, the idea behind adaptive authentication (such as OAAM) also is critical - since the set of subject tokens made necessary is dependent on the composite risk token associated with the resource consumed and the composite risk token associated with the subject as well. SO thus far we have covered Risk tokens, AuthN tokens, SAMLtokens, etc., in the 1st 20 entries. Now the focus will move on to a related area which is Network tokens and Integrity tokens and more.

Thoughts on Token Technology Trends- No: 19

2011-11-08T06:43:00.000-08:00

In some cases innovative companies such as Axcionics generate all three token types (what you have, what you are and what you know) - SIM+OTP+BioMetric all in one to initiate a SAML Session. OpenSSO as an STS was integrated with Axionics as an Authentication mechanism as well. Hence a combination of tokens were generated at the get go and associated with a SAMLtoken in STS.

Thoughts on Token Technology Trends- No: 18

2011-11-08T06:32:00.000-08:00

If one can start with a hard token that represents an initiating vector and leverage some sort of biometric credentials (non intrusive) to authenticate a user, and bind the two tokens (or map the tokens with a SAMLtoken) using STS - one of the common ways to integrate and align to authenticated resources within an enterprise that has applications (application with a authN token) is via kerberos (common and popular). This is a key reason why we have SAMLkerberos profile and approaches to integration leveraging an STS.

Thoughts on Token Technology Trends- No: 17

2011-11-08T06:26:00.000-08:00

Any hard token acting as the "initiating vector" allows for the STS to bind other token types to it. In general - when authenticating an entity - in this case a subject - similar to a hard token associated with a device (tamper resistant), a hard token associated with a human being is obviously Bio Metrics. The extensibility of the Biomentric AuthN tokens are also critical - such as DNA, fingerprint, facial recognition, retina, and more. Hence multiple Bio Metric token types should be generated by a platform for the right risk context. I am reminded of the OpenSSO (STS) integration with Biobex for this purpose.

Thoughts on Token Technology Trends- No: 16

2011-11-08T06:18:00.000-08:00

Similar to blog entry no 15, a TPM token can act as the initiating vector from which a SAMLtoken is generated by an STS and mapped to an OpenID token - like the one demo'd by wave technologies in 2009 at Digital ID world. This was an integrated demo using Ping STS. This same approach can be leveraged with any hardware token from CPU makers such as Intel and AMD.

Thoughts on Token Technology Trends- No: 15

2011-11-08T06:14:00.000-08:00

One of the key forking factors for federation is the SIM card and the GBA/GAA tokens that are generated by a the Mobile Operators. To a certain extent for enterprises that are extending their services to the mobile devices, this bootstrapping architecture and AKA/Digest +SIM based GAA allows for some level of device and user context that can be exchanged via SAMLtokens and STS, and augmented with additional authN tokens if needed.

Thoughts on Token Technology Trends- No: 14

2011-11-08T06:01:00.000-08:00

Now that we know that there can exist multiple Authentication types represented as a AuthN token for a subject, in those scenarios where there is Federation involved we have to have a good understanding of STS (secure token services) and the SAMLtoken (aka SAMLartifact) it generates. With recent developments at OASIS you should also note that SAMLartifact can also carry a XACML decision token (i.e., an AuthZ token), more on AuthZ token for the another blog entry.

Thoughts on Token Technology Trends- No: 13

2011-11-08T05:50:00.000-08:00

Toeknized representation of the audit trails are also anoher key perspective to keep in mind - to ensure full loop back - for traceability and observability. For example: Audit Tokens similar to the ones generated by Solaris

Thoughts on Token Technology Trends- No: 12

2011-11-08T05:42:00.000-08:00

Similar to the composite subject risk token, systems are capable of generating composite Resource Risk token as well. Darren Rolls the CTO of Sailpoint recently showed a demo that does risk ranking of resources based on multiple factors associated with the resource - including access review and access certification, the entitlements associated with the resource and more. The generated XML artifact about the risk rating of a resource can be tokenized - compressed, encrypted with metadata.

Thoughts on Token Technology Trends- No:11

2011-11-08T05:37:00.000-08:00

There are two types of composite risk that can be calculated - one for a subject (typically a person - employee, partner, customer, etc.) - for example Securonix generates what they define as a SmartRanking artifact, which to me is a specialized XMLtoken representing the risk associated with a subject based on past and current behavior.

Thoughts on Token Technology Trends- No: 10

2011-11-07T17:38:00.000-08:00

Another interesting trend is the Data Tokenization space (see paper). While data tokenization is to secure data (at rest and in transit) -the tokenized representation also has meta-data that classifies the data - such as PCI-DSS data, PII data, iTAR data and more. Which is also key to understand when we need to comply with regulatory requirements around data and data in the clouds! To me along with other firewall functions performed by a DB FW -this should be an add on capability. However today its typically an add on product.

Thoughts on Token Technology Trends- No: 9

2011-11-07T17:30:00.000-08:00

Another key technology trend in this space is DRM and rights management expressions using XrML and the resulting XrML tokens (runtime licensing keys and artifact representing a resource access control function). This takes us to the topic of representing - rights, access, privileges, priority, entitlements and all AuthZ related functions as they relate to documents, databases, OS and applications + data - all expressed in Tokens - similar to XrML tokens - also allowing for run-time representation of DAC, MAC, RBAC, DRM and more.

Thoughts on Token Technology Trends- No: 8

2011-11-07T17:20:00.000-08:00

Another key technology trend in this space is the usage of Virtual Directory technology to create what is referred to as "computed tokens", such as Radiant Logic. VDS technology allows for the aggregation of associated attributes into a virtual view. From this virtual view lets say we can see a 100 attributes - we can easily define that if we see 90% of attribute match create a Green Token - 70-90% match a blue token - 50-70% match an orange token and below 50% a red token - all of which are computed token types around an attribute set. This functionality of computed tokens is very critical to understand as well.

Thoughts on Token Technology Trends- No: 7

2011-11-07T17:16:00.000-08:00

One of they key value proposition of token typing is the fact that we also have the notion of a hard token and a soft token - a TPM (trusted platform module) or a SIM card can act as a Hard token with tamper resistant memory footprint and an identifier (unique to the device) which can act as the "Initiating vector" for storing other soft tokens and token types or combining the same if needed. This is a critical concept to understand in this space as well.

Thoughts on Token Technology Trends- No: 6

2011-11-07T17:04:00.000-08:00

One of the extreme use cases according to some (not me) is to create an RBAC token or RBAC tokenization -- at runtime any tokenized artifact is a XML file with condensed attributes and meta-data. From that perspective RBAC profiles have been XML'ized for close to a decade now and therefore they can be tokenized as well into RBAC tokens. These tokens unlike AuthN token are considered to be Access Tokens (and an RBACtoken type is only one amongst many in this space). Please read the paper in the link above that describes the usage of RBAC tokens. Note: at run time this XML artifact (an RBACtoken) is also encrypted -so secure exchange is possible.

Thoughts on Token Technology Trends- No: 5

2011-11-07T16:51:00.000-08:00

One perceived definition of token or a "security token" is that it is an authentication token (like a OTP token, Biometric token, SmartCard token or Kerberos token, etc). In our 100 entry description of the technology trends in tokens, tokenization and STS - we take a broader picture around tokens that go FAR beyond what is traditionally understood as token (authN tokens) - based on the definitions and token type description in the previous 4 entries. AuthN tokens are a critical piece however if we take an basket of tokens - they would represent only 10 to 20% of the token types. This again has to be kept in mind BIG Time!!

Thoughts on Token Technology Trends- No: 4

2011-11-07T16:40:00.000-08:00

Tokens represent Assured Attributes -- i.e., The attributes are from authoritative sources validated by control functions performed prior to the token generation - for example; A posture token generated by a Cisco ASA solution is generated after the validation control function of multiple attribute sets about a device. The same is TRUE for all Token Types - i.e., whether it is a AuthN token or Access Token or a SAML token it does not matter. Therefore one definition of a Token is that it is an "Active Abstraction of Assured Attributes". This understanding of a token is also very critical in terms of synergies and synthesis that it can bring to the table.

Thoughts on Token Technology Trends- No: 3

2011-11-07T16:20:00.000-08:00

Another key trend to be noted is that there are many many token types in play within an Enterprise Security Architecture, namely;

Public Tokens vs Private Tokens
Standardized Tokens vs non-Standardized Tokens (SAML vs proprietory tokens)
Authentication Tokens vs Access Tokens
Subject Tokens vs Resource Tokens
Integrity Tokens vs Trust Tokens
Computed Token Types (many)
Risk Tokens (for subjects and resources)
Transaction Token Types (such as SWIFT Tokens)
Network Token Types (such as Posture tokens and Path tokens)
Decision Tokens and Obligatory Tokens

I have listed nine token types here and there are many more. Each is a topic for an blog entry, but there should be clear understanding of what a token means and the types that they can belong to. An STS development kit should be robust enough to work with all these token types and more that can be custom defined.

Thoughts on Token Technology Trends- No: 2

2011-11-07T16:12:00.000-08:00

The decoupling of Authentication and Sessions with Secure Token Services, is a another key technology trend. We are all familiar with many authentication mechanisms that generate a token type (bio-metric token or a SIM token, etc) - these independent Authenticating systems that authenticate an entity (user, device or application./service) generates a Authentication Token post successful Authentication and traditionally this was tightly tied to SSO services -such as WinSSO and Kerb token or Siteminder SSO and LDAP AuthN, etc. With the recent trend in terms of STS development - the secure token service is the service that accepts these tokens, creates a session token and does mapping and translaton of Tokens. Hence this technology trend in terms of decoupling Authenticating systems and Secure Token Services is a Key underlying technology trend that is extremely important to understand, tokens, token types, tokenization process, STS and more.

Thoughts on Token Technology Trends- No: 1

2011-11-07T16:03:00.000-08:00

From this blog entry onwards I am challenging myself to post 100 entries and a 100 perspectives on Tokens, Tokenization and STS (Secure Token Services) - meaning each one is a unique perspective on this Technology Trend within the next 100 days !! So here it goes:

I grew up in chennai india - where every time we walked up to our family doctors clinic - we were given a token (since there were several dozen patients waiting in line). This token was cryptic - in a sense - since its had numbers and colors and certain markings in it. As i learn't later in life - the colors depicted - whether you were really sick or was it something that can wait, whether you were man or a woman, aged or young and more. The numbers reflected you turn - and there were multiple queues. Also in certain cases - a patient would be given preference either because they come from a privileged family (special tokens) or if they had called in advance (we typically walked in hoping to have a wait time of less than an hr). Taking this analogy; a token has 5 characteristics - True for the Token relating to the Technology Trend we'll be discuss in these blogs as well;

Tokens represent an Attribute Set (token types) -compressed or condensed - for example Perimeter host admission control solutions validate 60+ attributes about a device and then create a posture token (3 or 4 types - that reflects the Attribute sets)
Tokens have some meta-data based on their characteristics (for example in the analogy above - green could mean sick boy, blue could mean sick girl, yellow sick adult man and red sick adult woman and more)
Tokens are Cryptic - meaning that if you are not briefed in advance - all the substance in the token will mean nothing to you (in our technology trend they are encrypted and compressed -secure exchange)
Tokens represent Attributes with some level of Assurance -Attribute Assurance - since they are based on successfull execution of some control function
Tokens are generated at run time and have real time characteristics of a state of an Entity (entity can be subject or a resource or an action or condition) - real time representation of entities.

This is the basis for all the next 99 entries and therefore - it is imperative to DIGEST this understanding of what Token represents!!

Architecurual Alignment with Access Control

2011-10-13T15:56:00.000-07:00

I just completed my CISSP training last week and it was very interesting to note that amongst the 10 modules - Access Control is one and it includes - all three areas of IAM, "Identification", "Authentication" and "Authorization". If Authorization decisions at run time are also leveraging audit data (historical behaviors for example" - then we might add the topic of Audit as well to the overall Access CONTROL space. To me that leads to XACML:

as the extensible XML based AC policy language,
the framework (PEP, PDP, PIP, PMP, etc),
the XACML request response paradigm (interfaces and integration),
the XACML profiles (such as RBAC profile) and,
the SAML2XACML artifact that allows for the alignment of Authentication to Authorization at run time.

Just like how we saw the ID Federation (SAML) take off this past decade (2000-2010), this decade is the XACML decade (2011-2020). If we view; applications plus services as one set of resources and data plus documents as another set of resources - the systems protecting apps/services are;

XML firewalls (and we have support from IBM, Intel, Layer7 and majority of the vendors in this space that support XACML estensions
RBAC systems (majority of the RBAC implementations extend via XACML-RBAC profiles)
and Composite Risk Rating Engines (such as Sailpoint and Securonix) that generate XML artifacts that gets passed to a XACML PDP as a PIP

On the Data and Documentation side, we have an interesting scenario of some XACML vendors; the Top 5 being;
Axiomatic
Bitkoo
IBM
Oracle, and,
Nextlabs

beginning to support DB Firewalls and DRM systems(using XACML as a policy expression language) (plus integration into DLP).

All the NEP's (such as Cisco and Juniper) have the opportunity to create a specialized Network (perimeter) PDP - that unifies (UTM) - Deep Packet Inspection, with Packet FW, with Network Admission Controls and Intrusion Detection Systems - and generate Network Threat and Device Integrity Information (acting as a PIP) to the Enterprise Data+App PDP. This approach kinda ensures the REALIZATION of the Vision established by XACML as a Pervasive Policy Paradigm for an Enterprise Security Architecture !!

The AAA Aligned to AAA

2011-04-23T19:28:00.000-07:00

I remember reviewing this IBM redbook on ESA a few years back and thinking about how an IAM (identity and access management) stack play's an important and critical role for Enterprise Security Architecture. I've just started a few weeks back at the Bank of America as a VP., Sr. IAM Architect in the Enterprise Security Architecture group. An amazing organization with a number of enterprise scale security projects going on (Six Sigma Security). I will have very little time to blog moving forward. My 1st paper at the organization along with a few others talks to the AAA behind AAA from Radius to an Integrated IDM Infrastructure. RADIUS was good a few decades back when we had a few remote dial up users and with almost all (employees, customers and suppliers) users in today's cloud, outsourced and highly mobile environments, is remote and mobile accessing services under varying conditions (context), accessing services from a cloud data centers managed by operations outsourced to Asia and more., makes an Integrated IDM Infrastructure even more critical for distributed systemic security services;

AAA behind AAA:
Admission Control (Analysis, Acceptance and then Admission)
Authentication (Authenticity of credentials, Adaptive AuthN, etc)
Assertion (Assertion of tokens including authN Attestation and authN Assurance)
(all three making up the 1st A)
Attribute Aggregation (Assimilation of pre-authN, post AuthN, pre-AuthZ Attributes)
Authorization (entitlement data, privileges, permissions and more)
Access Control (run-time RBAC, ABAC, Risk, context driven, etc)
(all three making up the 2nd A)
Activity Monitoring (end to end log based RT monitoring)
Accounting (metering, measuring and billing)
Auditing (compliance reporting and certification)
(all three make up the 3rd A)

The paper will have functional decomposition of each of the 9 A's, inter-relationships between them, flow diags, etc. An amazing place to work at, an amazing area to focus on (IAM and ESA), an amazing team to work with.. Its going to be the best years of my career!!

Oracle'c Cloud Computing Center

2010-09-29T03:36:00.000-07:00

Last week at OOW I had the chance to present "Context Aware Security for Cloud Control and Compliance" along with some friends at Verizon. It was an Amazing week since Oracle announced an array of products and solutions in support of our Cloud Computing Strategy. From ExaLogic EC -the cloud in a box solution for IAAS, PAAS and SAAS, to the next generation of ExaData for Storage AAS and DB AAS, to the Niagara T3 CMT processors and systems based on T3 (ideally suited for Cloud Security and Control Applications - that are parallel in nature -see paper). There are a number of excellent papers and webcasts here that discuss everything cloud;
Cloud Strategy
Cloud Computing and EA
Cloud Management
Cloud API
Public vs Private Clouds
and more..

My next dozen plus blog entries will be around "Context Aware Security for Cloud Control & Compliance".

The Intersection of IDM and IN

2010-07-01T06:51:00.000-07:00

My 2nd paper is around the integration and intersection of different Intelligence data both Network facing, IT facing and Business facing around a common identity management layer. Mobile Cloud Operators have unique advantages in the Cloud Control and Compliance space due to the visibility and transparency they have on both ends. Here is a nice writeup on the Intersection of IDM and BI from a GRC perspective. Oracle with its complimentary solutions around an Integrated Identity Infrastructure that includes DB Security, MDM, GRC, BI and NI products is again well positioned here. Its already possible to Integrate Network Intelligence and Business Intelligence with a common Identity Infrastructure today (to a certain extent) and since the Cloud Paradigm converges and collapses the Business and Network layer into ONE, any Cloud Initiative will require this end to end IN integration. This approach is also facilitated by SEIM software (such as the ones from our partner LogLogic) that collects Logs end to end and applies Logic on top for Security Events and Information.

Charging for Cloud Computing Services

2010-07-01T06:39:00.000-07:00

Oracle is a market leader in terms of Integrated Identity Infrastructure Implementations in Telco's (mobile operators) worldwide. These Telco's are all gearing up for Mobile Cloud Computing initiatives.. I just delivered a Keynote at the SIMposium 2010 in Rome yesterday and folks here clearly view SIM+SCWS+Secure Contained Client Code+JC 3.0 as a PEP (policy enforcement point and a programmable end point) as the ideal Cloud Client. Another important perspective when offering SAAS, PAAS, IAAS, etc., is the flexible, open, robust charging and billing models that are required for all the IP Cloud Services. Here is an excellent presentation via webex from Paul and Elisabeth on how well Oracle's BRM is positioned for these large scale Cloud Initiatives from a Charging and BRM perspective - and how well they can support different business models and revenue recognition models. I am working on a series of 5 papers (that would eventually transition into my "Identity and Trust" book on - Cloud Control and Compliance with a number of Industry coauthors) and the 1st one is on the significance and importance of an Integrated ID Infrastructure from a charging and billing perspective for Cloud Services. The obvious ones are;

Mediation between Operator as an IDP and ASP/SAAS as a SP is facilitated with federation
Revenue Assurance is aligned to ID Assurance levels
Mobile wallet is a PEP for a PDP
Fraud Detection & Risk Based AC for Billing - Transaction level AAA
Pre-pay, post pay, pay per use and other pricing models - aligned to Roles and Responsibilities
Integration with AAA, Radius, Diameter, etc
Access Control - DRM -content/IPTV/services tied back to payments
Log Data from III for non-repudiation and assurance
Consolidated Converged Charging is USER/ID Centric

A Critical Cloud Control partner -Vordel

2010-06-06T18:52:00.000-07:00

Vordel, Oracle's key partner for Cloud Control & Compliance area, did an excellent presentation at Telco Cloud 2010 last week, and will be at the E-Identity event next week as well. Check out the joint presentations and white papers, discussing the integration between Vordel's Cloud Control product Oracle's Identity Infrastructure products, Oracle DB and Oracle's Enterprise Manager. There are both common Telco and NEP customers who will benefit hugely with this Integrated Approach for their Cloud Control Initiatives!!

Cloud Computing Conference

2010-06-03T08:31:00.000-07:00

Another Telco Cloud Services event in London the week of June 15th. The original one was scheduled for April and was later postponed to June (due to volcanic ash).. An amazing amount of momentum from Operators such as BT and FT in terms of starting Cloud Initiatives and a great lineup of NEP's to support the operators including Cisco, ALU, NEC and others.

CIA for Cloud Computing

2010-05-24T20:30:00.000-07:00

Oracle announced the acquisition of Secreno a Database Firewall software company, a few days back. An excellent acquisition that compliments Data Vault , Data Masking and other related Security solutions from Oracle, that are key enablers of Data level security in a Cloud Model. From my perspective similar to the application (XML) firewall solutions from our partners such as Layer 7 and Vordel, along with traditional Network Firewalls, the combination of these firewalls integrated and aligned to an Identity Stack (i.e., they are session aware, white listed, id context aware, integrity checks, assurance level aware, and more), offers the defense in depth for cloud services. If this is one area of alignment, the other perspective is the alignment of network integrity, with code integrity (apps and VM) and data integrity, plus device integrity with an Identity Stack, to meet QOS and SLA requirements of a Managed Cloud Service provider. Taking this approach we can address the CIA (confidentiality, integrity and availability) for Cloud Computing. The availability aspect goes beyond disaster recovery and traditional HA designs to include - self cleansing intrusion tolerant (SCIT) based specialized VM's that are tightened, tweaked and tuned to offer specific services. A clean and tolerant VM executing my service for my given session and recycled when my session terminates (hence again integrated to the ID stack). Within my one authenticated session I could invoke multiple federated VM sessions that execute services on my behalf and are terminated (based on the security sensitivity of the service consumed) when my user level session terminates. This approach introduces true Mobility to Cloud Computing that covers User Mobility, Device Mobility, Session Mobility, Network Mobility and Service Mobility!!

Systemic Security (Services) for Cloud Computing is achieved only when there is intelligent
linkage between all security systems with a core Identity Infrastructure.

Mobility Context, Cloud Mobility and MAAS

2010-05-24T09:11:00.000-07:00

Similar to the description given by MAAS here, the flexibility offered by Cloud Computing and Cloud Service when married with the Mobility aspects (anytime, anywhere, any device), Identity, Policy, Security, Control, Compliance, Session, Trust, and other related IDM services becomes a CENTRAL enabler on both fronts (on the Infrastructure and Service side and the mobile broadband access network side as well).. Informa is putting together a great event in September 2010.

Cloud Control and Compliance

2010-05-23T15:18:00.000-07:00

June is a hectic month for me.. Two keynotes and a presentation plus panel participation. The 1st one is at Paris for the Telco Cloud event, directly relevant to the work we are doing at Oracle as an NEP partner of companies such as Cisco, Ericsson, Juniper and others around "Cloud Control and Compliance". My presentation will reflect the alliance and partnership that we have with Cisco and specific ISV partners, in this space. The 2nd presentation is the Closing Keynote "Identity, Policy and Context for Cloud Services" at eema IDM event in London the 2nd week of June. The 3rd one is an Opening Keynote the last week of June in Rome at the SIMposium 2010 around the topics of SIM, JavaCard 3, SCWS (smart card web server), Integrated ID stack and more.. (Bootstrapping the mobile with Cloud Services). The Clouds will hopefully cooperate!!

Asserting Attributes for Assurance

2010-04-20T06:42:00.000-07:00

One of the core areas where the Alignment of Attribute Authorities is imperative is the area where the attributes are asserted for changing assurance levels, pre-authentication and post authentication for Attribute Based Access Control. If one's identity is a "Construct of Credentials within a Context" that construct of credentials (an assimilation of attributes or credentials) can vary from simply leveraging SIM like authentication, SIM plus a Location Attribute, SIM plus a location and a PIN, SIM plus a location and a PIN plus voice, SIM plus a location and a PIN plus voice plus a Attribute Authority validating citizenship, and more. The Attribute Authorities are asserting attributes as authoritative sources of those attributes, such as a mobile operator and a device location, a Device Reputation Authority and the attributes pertaining to the device capabilities, a 3rd party Attribute Authority asserting prior institutional decisions taken about a user, etc. etc,. These attribute authorities are also viewed as federated databases (large and high throughput) that can exchange attributes securely at lightning speeds. This alignment of attribute authorities in network can also be viewed as;

The NG IP Intelligence Layer between the User & the Services/Content he/she consumes
A more advanced Context Layer for contextual composition of all IP services
The Identity, Policy + Control Layer - since control is for an identity and abides by policies
A meta layer - that can host mapping profiles and an abstracted set of information
A more advanced routing, switching, bridging, gateway-ing, repeating, accelerating layer

This is the area where Oracle's collaboration with ISV and NEP (such as Cisco, Ericsson and NSN) will benefit the communication, media and entertainment industry.

Genesis for Global eGovernance

2010-04-06T14:11:00.001-07:00

GRC (governance, risk management and compliance) programs typically leverage an Integrated Identity Infrastructure along with the People, Processes and Technologies that go with it. To me the trends towards technology based transnational transparency initiatives, including the many Transparency programs put in place by the Obama Administration, will be the Genesis towards a Global e-Governance model, that will encourage more open, participative and collaborative environment for Governance. This is the topic of my 4th book "Identity and Transparency" the Genesis for Global eGovernance (2012). I am truly amazed at the pace at which this administration (including the CIO Vivek Kundra and CTO Aneesh Chopra) is putting in place major transparency programs, both national and trans-national.

Prosperity Phenomenon - a Paradigm of the Past

2010-04-06T13:59:00.000-07:00

After posting my blog entry on Africa - I was wondering why we face these economic cycles within nations and why cant there be prosperity in a global scale. After all one's prosperity is highly intertwined and interlinked with others prosperity (new markets, increased specializations and efficiency in resource consumption and more)..

" History has shown us that when some parts of the world prosper, others often don't. For instance, in the 1600, when India and China were thriving, Europe was at a low; when Europe was on top of the world, Asia was down; when Europe and Asia were on the decline, the United States was on the rise; and while the rest of the world is still struggling to recover from the recession, Brazil, India and China seem to be forging ahead. However, we need work together to make this phenomenon, where one region prospers at the cost of another, a paradigm of the past. In today's globalized world, international borders are porous, and the inter-connectedness and inter-dependence of countries and regions is obvious. The nature of today's challenges requires us to unite across the world to come up with common solutions".

In this highly globalized world - the genesis for global e governance will be the trend towards a technology based transnational transparency.

DIM 2010 - CFP open Colocated with CCS2010

2010-03-31T19:28:00.000-07:00

As a proud lifetime member of ACM (almost 5 years now), it gives me great pleasure to provide this pointer to this upcoming ACM event - DIM 2010; topics include:

Identity management for cloud computing
Identity management for critical infra
Identity assurance
Identity governance
Attribute aggregation
Identity in service-oriented architecture
Anonymity and pseudonymity
Accountability in identity management
Identity management APIs
IDM in ubiquitous and mobile computing
Reputation and incentive systems
Privacy-enhanced identity management
Identity-based access control
Identity discovery
Identity theft prevention
User-centric identity management
User experience models and integrity
Standardization of IDM and policies thereof, standards harmonization
Case studies and lessons from large scale deployment
Vulnerabilities, threat analysis and risk assessment of IDM solutions (e.g., threat of malware affecting identity theft)
Analysis of differences between requirements for consumer and enterprise IDM

United States of Africa (Aligned with APAC and Americas)

2010-03-16T18:24:00.000-07:00

I reviewed a well written story and article in Fortune Magazine this week about the potential for the African Sub continent, that also had a quote about this 2008 Vijay Mahajan's book. Population exceeding a Billion, GDP exceeding a Trillion, huge land mass that is more than the land occupied by China, Europe and USA combined and all the natural resources that go along with it. The 1st thought that ran through my mind is how all the 50+ countries in this beautiful continent can come together as another USA (United States of Africa).. also amongst the top 10 economies of the world. Similar to the strengths in the Union that is found in the EU or the US of A (America), there are huge synergies and power that comes with the Union and Federation of these 50+ countries in Africa. All the 50 plus nations combined can leverage common standards around commerce and cooperation. Of course tourism is another huge industry opportunity as well.. from the Pyramids in the Egypt to the Safaris in Tanzania, Beaches in South Africa to the Kilimanjaro mountains and the Madagascar. I am going to get this book to read for my next flight. All 50+ nations can come together for a 1Billion+ African Identity Initiative as well (similar to the UIDAI project for the 1+ Billion citizens/residents of India).

Must Attend event in May at Munich

2010-03-08T05:45:00.001-08:00

A premier IDM and GRC event in May 2010. Registration is OPEN!! Do not Miss it.

CFP - IEEE CS - Securing the Converged Mobile Internet

2010-03-02T05:27:00.000-08:00

Call for Papers Open for this very interesting IEEE Computer Society event on "Securing the Converged Mobile Internet".

ABAC is Adaptive Access Control

2010-02-22T17:46:00.000-08:00

I am working with a CEO/CTO of a start up ISV partner of Oracle, who is building a niche Trust (IDBE) functionality, on top of an Integrated Identity Infrastructure from Oracle. We might get a chance to deliver some information on this strategic initiative as a Keynote soon. I also had a con call with the VP of product management for the Identity Stack today with respect to a NEP/OEM integration. With STS (secure token services) and Fedlet integrated into the Oracle Stack (see latest Feb 2010 paper), there are some amazing values offered in just the integration of these components. I might also get a chance to deliver a Integrated ID Infrastructure, workshop at BT in London in 2010. A chapter in the upcoming book "Identity and Context" covers the topic of an Integrated Identity Infrastructure leveraged for Context Aware Security.

Get Connected at GSMI's GRC Summit

2010-02-17T06:48:00.001-08:00

Excellent event to learn all about end to end Governance, Risk Management and Compliance (GRC initiatives). With the acquisition of Amberpoint and it Agile Governance System, Oracle has a very comprehensive and compelling end to end solution to address GRC (IT governance, Application/Business Governance and Enterprise Governance).

CIO Council on Credentialing -ICAM

2010-02-11T09:13:00.000-08:00

Comprehensive Coverage of Identity Credentialing and Access Management, by the CIO council, in the latest report. After all Digital Identity is defined as a "Construct of Credentials for a Given Context"

Conextual Composition & Convergent Charging

2010-02-10T08:37:00.000-08:00

Wow - the Global Communications Business Unit at Oracle is moving at Lightning speed. We just announced the acquisition of Convergin (a JEE/SCIM based Service Broker), that can compose converged services and handle complex charging model (prepay, post-pay, pay-per-use, etc.). Also read the new Oracle sponsored paper on Converging on the Customer.

Agile Application Governance Across All Platforms

2010-02-08T06:16:00.001-08:00

Given the solid integration that's already in place as an ISV partner for Oracle Fusion Middleware, todays news on Oracle's Acquisition of Amberpoint should come in as very good news for our common Telco install base (such as BT, Orange and Telcom Italia). Amberpoint is standards based that includes XACML.

Reducing Risk and Revenue Losses

2010-02-07T18:42:00.001-08:00

Excellent paper that talks to the integration points between an Integrated Identity Infrastructure and Revenue Assurance. I will hopefully get to present on the topic of "Identity, Policy and Context for Revenue Assurance" at this upcoming local event on OSS/BSS.

Identity, Policy & Context Centric Convergence

2010-02-07T18:15:00.000-08:00

Excellent paper by SWIFT on "Identity as the Convergence Layer", which implies, Identity (authN authorities), Policy (authZ authorities) and Context (attribute authorities) as the layer that enables Customer or User Centric Convergence.

The 5 industry standards initiatives around Identity for Communications Convergence includes;

TMF Identity for NGOSS (IPSF also folded in)
ITU T work on Identity and Security for Telco
ETSI for Identity and Profile Management (GUP, SUP, DUP, etc.)
Kantara WG on Telco IDM (and historical work done by Liberty Alliance)
SWIFT's work on Use Cases around IDM for NGN including Policies and Context

Customer's Context Centric Convergence & Consolidation

2010-02-07T17:05:00.000-08:00

The more I learn around the value proposition that Oracle offers to the Telco Industry, the more I am excited to be working in the Communication Global Business Unit. Through its massive set of acquisitions for the Telco vertical and the Identity Infrastructure space Oracle offers a big piece of the solution sets that would be required by the Carriers in this industry who are essentially facing three large scale challenges (given the Convergence around IP - wireless+wireline convergence, Network+IT convergence, Voice+Data+Video convergence, Device Convergence, etc., and the massive transformation we see with a Global Broadband Wireless deployments), which include:

Enabling Next Generation Service and Content Delivery (converged and contextual - relevant to each and every unique subscriber/customer needs)
Improve Cost Control and Compliance (heavily leveraging an Identity Infrastructure and containing costs both on the IT and Network side)
Drive Customer Centric Information Architecture (based on SOA)

Other than the software infrastructure products (communications SDP) that heavily integrate with a common identity infrastructure, for the infrastructure services it has to offer; all three major Applications offered for this vertical also leverage this common identity infrastructure in a very big way:

Billing and Revenue Assurance heavily rely on an Identity Infrastructure as described in this paper (including Risk BAC, Logging, Auditing, etc.)
The OSS stack also leverages the Authentication and Authorization functions for Unified Operator Management (as elaborated by TMF)
The Oracle Customer Hub for a 360 degree view of a Customer, for compliance and better customer service and more (integration with Unified Profile, Virtual Directory, HSS and more)

The best part is now all this can be combined with Sun's Open Telecom Platform offerings that are ATCA, SAF and other industry standards compliant HW infrastructure and Expertise in integrating with NEP's network facing systems around IMS, WiMAX, LTE, CCSF, HSS, PSCF, etc., making it a phenomenal story - especially when Telco are geared up to deliver Managed Cloud offerings!!

Contextual Composition of Converged Services

2010-02-02T14:39:00.000-08:00

Its great to learn more about Oracle's Converged Communications products, this week. Starting with the SDP platform that include Converged Communications Server (JEE, SIP Container, IMS/NGIN/WS Server, etc), Communication Services Gatekeeper (parlayX gateway, SLA/QOS Policy enforcer, etc) and the new Communications Media and Advertising Server, OSS/BSS Servers (end to end from Service Activation to Service Retirement), Media and Entertainment Services, GRC for Telco and an ATCA+SAF compliant Carrier Grade Framework. An awesome product line!! No wonder Telco's worldwide choose Oracle. Now with the Sun acquisition, every Telco I've worked with in the past 10 years (from an ID Stack perspective) - Telstra in Australia to Telus in Canada, Telcel in Mexico to Verizon in US, Vodafone in Europe to Reliance in India, Vimplecom in Moscow to China Mobile in Beijing can leverage the Identity, Policy and Context layer to Deliver Revenue generating NG converged communication services and cloud services!

Secure SIM and SSO based Payment Services

2010-02-02T13:02:00.000-08:00

My Keynote with Hadi Nahari, Principal Architect at Paypal is confirmed for april 2010. The POC will continue with an Oracle+Sun ID Stack.. We will present on the requirements and key metrics around performance and scalability that resulted in a proposed Solution Architecture (300 mill+ subscribers, 1 mill policies, 1+ billion attributes, etc.).. This will be my first as an Oracle employee!!

Top Twenty Telco - Trust Oracle+Sun

2010-02-01T12:17:00.000-08:00

In the 10 years I was with Sun roughly 1/2 was on leading and consulting on Telco projects worldwide as a Lead Architect (including Telcel in Mexico, Vodafone in Europe, Cingular in US and more) that included integrated EBPP, mobileSOA, ID infrastructure and more, the reminder 1/2 was in SW Sales Org focusing on Identity Infrastructure (US, Canada and LA.). I am glad I will continue playing a LEAD role in Oracle Global Telco Unit reporting direct to a VP. My roles and responsibilities will include;

Acting as the GO TO GUY for Integrated ID Infra for Global Telco Deals.
Representing Oracle Comms at ITU, TMF, GSM, and other Industry Events, etc.
Integrating ID Infra for the Telco Vertical Solutions (Market Requirements, etc.).
Interfacing with different Product specific Product Managers for alignment.
Working closely with Sales/ISV/SI partner Teams focused on Telco a/c's.

Plus more... I already know the strengths that Sun brings to this Telco Industry, and combined with Oracle we will have solid momentum as Telco's roll out 4G & IMS worldwide and integrate Web 2.0 and Comms 2.0 services via a Common Identity, Policy and Context layer. Looking forward to the next 10 years at Oracle!! Its going to be AWESOME!!

Legend - Leadership Lecture

2010-01-31T17:22:00.000-08:00

I was listening to Sri Sri's lecture at Wharton that was given in early 2009 for students and I thought about his "12 Qualities of Good Leadership" (that was emailed to me this weekend):

The first major aspect of good leadership is letting go of control. Are you in control when you’re sleeping or when you’re dreaming? No! Are you in control of any other function in your body? Your heart is pumping all by itself. Your liver functions by itself. The food you stuff in the stomach gets digested all by itself. Do you have any control over them? Are you in control of the Sun and Moon moving around the globe or even the globe rotating on itself? Are you in control of the thoughts that come into your head? So, when you realize you really do not have any control over all major things that are happening in you life, you’ll stand up and laugh. “Oh, what am I thinking, am I in control of something?” Then you will realize that the idea that you are in control is an illusion. And then you relax. And that relaxed state is called surrender.

What is surrender? A state of mind, where you are absolutely at home, totally relaxed — with no fear, anxiety, burden or problem. That state is called surrender. Surrender is our very nature; you don’t have to do it. When you are in your natural state of childlike innocence, you are already in a state of surrender. When you cannot surrender, then you make effort, and effort makes you surrender. So when you say, “I cannot relax”, I will say, “Ok, hold your fists tight and tight and tight.” Then, when I ask you to make it tighter and you cannot do that, what do you do? Being tired, you just drop. This is coming to the other end with effort! For a leader, it is also important to be in the present moment.

So, what are the qualities of good leadership? How can you be a dynamic, confident and enthusiastic leader?

The first quality of leadership is to set an example. A leader doesn’t just order things; he does it so that others can do it.
Second aspect is that a leader takes good care of those whom he is leading.
Third aspect is that he doesn’t create followers. A good leader creates leaders. And then chain action happens. A leader should delegate responsibility.
The fourth quality is that a leader does not depend on authority. He just does a thing, whether authority is invested or not. It comes by itself.
The fifth aspect of leadership is that he does not worry about position. The respect that you gain through virtue is very different from the respect you gain through the position. The respect you get through a position is short-lived and temporary. But the respect that you gain just because of your smile, your attitude, your virtues are there with you all the time. You may be a chairman of this committee, a president of that committee, or you are barrister here or governor of that state — these are all momentary, temporary. They come and they go. And the respect you get because of this position is not genuine, it is not from the heart, it is not true. But the respect you gain because you are a nice person, is genuine, it lasts long. It is spontaneous.
The sixth quality is that a leader is alert and when challenges come, he is not disturbed. A good leader is one who does not drop things when challenges appear.
The seventh quality of a good leader is one who does not care for comfort, but who stretches himself beyond the comfort zone. Anything creative, dynamic and great can happen only when you stretch beyond your comfort zone where we are often struck. We think we cannot do something: just make an effort and put one step ahead, and you will find that that you are expanding your comfort zone. Creativity transcends your comfort zone. Or, when you step out of the comfort zone, your creativity comes into play.
The eighth aspect is, a leader should not mix head and heart. If you mix head and heart, you are in a mess! When you have to work, you work with commitment and you live with your head. In life, in situations other than when you are working, listen to your heart.
The ninth quality of a good leader is that he should be multidimensional and see from the other’s point of view. Put yourself in other person’s shoes, look from the other person’s point of view.
The tenth aspect is that the leader doesn’t depend on one-sided information. When you get some news from one side, don’t take any decision or conclusion till you hear from the other side also. Leader should be a good communicator.
The eleventh is that a leader should have a direct approach.
Twelfth quality of a good leader is not to judge oneself. You have this tendency of judging yourself, “Am I good? I’m no good.” The self-judgment is an obstruction. Stop doing that. Don’t judge yourself. When you judge yourself, you are judging others also. Then you oscillate like a pendulum. If you feel you’re good, then you are saying that others are not so good. So when you find that others are good, and then you feel that you are no good, you blame yourself. Judgment is very similar to self-blame and blaming others. We have to get out of this vicious circle of self-judgment. That is also the state of surrender. When you have surrendered to the Divine that means that you no longer judge yourself. Self-Judgment is not necessary. A child is so innocent, why? Because the child doesn’t judge itself.

In my mind I thought about the Legendary Leadership offered by Scott Mcnealy the last 27 years.. always as an example - any major high profile project or meeting I go to - would have been preceded by Scott Mcnealy and the customers CIO, CTO or CEO meeting- I've run into him many times at the EBC, and I in fact got a call from him just before my presentation at Nextcom in 2008. Scott is well known for creating Leaders (more than 100 CEO's in the industry will trace their time back to him).

He ensured that Sun's IP (intellectual property), products and majority of the people were taken care off - with the Oracle Acquisition.. (the best alternative to Sun going it alone). I truly believe that Sun, its Industry changing technology, products and people will do extremely well within Oracle, since the combined entity is a bigger force that can tackle competitors in an industry that is consolidating rapidly... He has done amazing things including promoting eco friendly computing, supporting global education and more.. He is a LEGEND since he also had the courage to give up control.. (the 1st quality of leadership) for the larger good that it can do!!

Java ONE merged into Oracle Open World

2010-01-28T04:57:00.000-08:00

Given the popularity of Java ONE and the huge successes of Oracle Openworld in 2009, this year in 2010 the combined event will be unprecedented!! Registration is open!!

SOA SIG Scheduled for Next Month

2010-01-27T17:38:00.000-08:00

The National Capital Oracle User Group has a SOA special interest group, and I'll be presenting on "Identity, Policy and Context for Cloud Services" next month, to this group. It will be a great way to meet Oracle customers local to the DC area!!

Whats an Integrated Identity Infrastructure

2010-01-25T14:48:00.000-08:00

Now that the EU has approved and Sun as an entity has merged with Oracle, I decided to post an entry of what an Integrated Identity Infrastructure means to me..

At a high level it implies a:

integrated system of Identity Services that are based on a common technology platform (similar to Sun's and Oracle ID services running on a JEE application platform),
interfaces are based on common standards such as SAML, XACML, SPML, XML, etc.,
the integrated architecture is based on reusable services (aka autonomous Service Building Blocks) that can be called upon when needed, and reusable by all IP (internet protocol) services (web services, communication services, VOIP, IPTV, web 2.0, etc.)
acting as a common user centric intelligence and instrumentation layer across all services (PAAS, SAAS, IAAS - cloud infrastructure services)
plug-able - meaning modular in nature (supporting multiple authN module, policy modules, log/event modules, reporting/analysis modules and more)
integrated with other Security Tools (such as XML FW, DLP, IRM, and more)
integrated in all layers (App, DB, MW, OS/VM, Clouds, etc) and all tiers (device, networks, and data centers)

Specifically these include;

Authentication Services (reusable authN types) for Apps, Users, OS, etc. linked to Federation Services via AuthN context
Web Services Security integrated (message level security) with Transport and Session layer security
AuthN context acting as a condition for ABAC and XACML PDP
RBAC PDP acting as a PIP for a XACML PDP
Risk based PDP acting as PIP for a XACML PDP
Logs from PEP, PDP, PIP, PCCP, etc., exchanged with an external SIEM tool for live monitoring and management
IDM based Service and Attribute provisioning (at design time) used by Access Management at run time
Role (and role manager based) based provisioning of Attributes and Services that align with Business Processes
Adaptive AuthN rules enforced based on Resource Accessed and ABAC
ID Attributes Aggregated for ID Analytics and Reporting
Identity, Attribute and Policy repositories integrated via Virtual Directory (and Unified Profiles)
ID Vetting and ID Proofing processes mapped and aligned to provisioning processes
Assurance Levels as Attributes exchanged based on AuthN context, ID proofing/vetting, Reputation and more.
Common Management tools across all Identity System services
Embed able PEP/PDP on devices/clients, Services, Equipment and more
IRM and DLP instrumented with the identity intelligence layer
Identity and Policy services integrated into Context Engines
Session Oriented integration between Network and Service Sessions

and many more.. I can count at least a 100 touch points between different components of an Identity Infrastructure based on work we've done the past 4 to 5 years. Check out the event agenda that CSO is hosting and presented by Oracle.

BTW: Oracle and Sun are in the leaders quadrant of many analysts reports -- and now we become one indomitable force in the Identity Space (with Sun ID Stack integrated into Fusion Middle ware).

Oracle+Sun Strategy (SW+HW)

2010-01-25T08:40:00.000-08:00

Join in on wednesday this week!!

Call for Chapters - Excellent Opportunity to Contribute

2010-01-18T16:57:00.000-08:00

A book edited by Dr. Raj Sharman, Dr. Sanjukta Das Smith and Manish Gupta State University of New York, Buffalo, NY, USA. To be published by IGI Global.

Charter and Committee proposed for "Identity in the Clouds"

2010-01-18T16:50:00.000-08:00

Out of scope are topics such as Access Control, API's and protocols.

Integrated Identity Infrastructure for NHIN

2010-01-15T20:42:00.000-08:00

Check out the agenda for this event next week. I am reminded of this paper on XACML, RBAC, etc., for HC Use Cases.. Access Management, Federation Management, ID Management, Role Management, Entitlement Management, Risk Management, SEIM, Compliance Management, Auditing & Reporting Management, all in all an Integrated Identity Infrastructure is required for such large scale initiatives such as NHIN. The Keynote Speaker is Vish Shankaran Program Director, Office of National Coordinator/HHS, NHIN.

Covering collaborative real world use cases

2010-01-14T14:46:00.000-08:00

In both my upcoming Keynotes I am collaborating with a customer or a potential customer to join me to discuss the use cases made possible with OpenSSO. At the SIMposium 2010 it is with Paypal (and mobile payment services) where SIM authN, SCWS and OpenSSO XACML based ABAC is covered for risk sensitive mobile payment apps. Its also in collaboration with Mobile Operators -- where the mobile operator acts as the 1st Authenticating Authority and Attribute Authority, with the Payment SP acting as a Authorizing Authority and Attribute Authority (plus as 2nd level Authenticating Authority when needed), leveraging distributed Authorities and allowing many possible ABAC scenarios.

At MISC 2010 I will go over the Integration of Cisco's Webex with OpenSSO and a use case around initiating a webex session from within facebook (logged in and accessed from an iPhone or a Touch Screen client) and collaborating with a set of online facebook friends belonging to a group without having to login again, and exchanging docs, pictures, and other objects based on attributes and tags associated with these objects. For example, if you had a collaborative session with all Alumni of your 1986 High School and are planning a 25th year anniversary event in 2011 plus a fundraiser for a cause, in conjunction with the anniversary - you do it with facebook, flickr and webex.. All the friends are in facebook, flickr has images of past get-to-gethers + some info on the fundraiser project and webex allows for secure collaboration for planning purposes - even though the class of 86 is all over the world (India, Dubai, Canada, UK, US, Europe, etc)..

Speaker Submissions Open- IDWorld Summit 2010

2010-01-13T12:19:00.000-08:00

Transportation, Asset Tracking, Near Field Communications, Citizen ID, Postal Innovation.. all of which requires the mobility context... Excellent opportunities for Mobile Operators to collaborate with transportation/logistics services, asset tracking services, and more..

Policy 2010: Call for Papers for this Prestigious IEEE event

2010-01-03T18:02:00.000-08:00

Location Fairfax and Venue GMU -- perfect!! Call for papers open now - if you are working on XACML and distributed system or network policies this is the event for you. Dr. Duminda Wijesekera, George Mason University, USA, is the Chair this year. Just completed the 1st draft of a paper titled "Constraints and Context for Cloud Infrastructure Services" based on XACML policies.

NHIN - National HI Network

2009-12-26T09:06:00.000-08:00

Along with the NHIN initiative that leverages OpenSSO's XACML policy engine, I am aware of one other large scale initiative that will also leverage OpenSSO's policy engine (will blog more about this in 2010). The 9 areas where OpenSSO excels in terms of scalability for these Policy/XACML deployments are:

Indexed Policies
Cached Policies
Leveraging the underlying Directory Replication Mechanisms
Pre Fetch (post AuthN rules) and event based Policy retrievals/caching
Parallel Evaluations of Policy Set (policy combination's, conflict resolutions, referrals, etc)
Vertical and Horizontal Scaling (within and between nodes)
Tuned for 256 Thread CMT(Niagara 2, 2+ and 3)
High Speed Attribute Authorities (like Oracle DB Appliances)
Highly Distributed Architecture (Embedded (edge/devices), Co-located (with HSS) and Central (master PDP) ).

Note: The PIP is primarily used for accessing patient consent information.

Catalyst Conference Call for Papers

2009-12-23T18:49:00.001-08:00

The call for papers has been extended to Jan 2010 for this important Catalyst event in April. I just noticed this extension at Gerry Gebel's blog. I met Gerry at NetID 2009 and he was kind enough to share some material around "Identity and the Relationship Layer" parts of which I will include and reference in the "Identity and Context" book. I will miss this event, since its the same week as SIMposium 2010. Hopefully I'll make it to the July event at California. Excellent events and a great agenda - dont miss this if you get a chance!!

What a Wonderful World

2009-12-11T19:27:00.000-08:00

Instead of having the final exam (for ISA562)on Monday the 14th Dec, due to some travel commitments, myself and two other students decided to do the finals today! The exam preparation was intent - we had to cover BellLapuda, Biba and Lattice models, plus topics on encryption, DiffeHellman, RSA, DES, 3DES, AES, hash algorithms, PKI, Certs, signatures, and more. It felt good when the exam was completed. Now along with the faculty and fellow student I plan to work on 3 new papers:

Constraints and Contextual Policies (XACML) for Cloud Computing (IAAS)
Composition and Choreography of Cryptographic functions using XACML (federation of Symmetric, Asymmetric, Elliptic, Quantum and their combination of crypto functions)
XACML Policies for Privileged Account Permissions (OS, VM and Hypervisor Admin Accounts)

The 1st paper by dec 20th and the other 2 for spring 2010. On my commute back home from School switched on the radio to merge into this Sam Cooke's excellent song, where the lyrics had a special meaning for me!! After next week California trip - its definitely party time - movies with the kids, WII with Arjun, several holiday parties and more!!

It was a perfect day and time to here this Song!! Came home and searched for Sam Cooke's CD..

Honored, Humbled and Highly Excited

2009-12-09T18:10:00.000-08:00

I am delighted and excited about 2010. Other than the Keynote at MISC 2010 (London) on "Mobile - Connectivity and Context Convergence", I'll deliver another Keynote on "Mobile Payments - SIM for Secure Service Access" at SIMposium 2010 (Rome). The first one is around Attribute Alignment and Aggregation for Social Apps (such as facebook and flickr - imagine Yahoo federating facebook with your flickr albums!! - for example the week I'm in London my facebook friends in london with our joint pictures taken during trips at flickr shows up in my iPhone) delivered to the mobile in a context. The second one is on the relevance of SIM and Javacard 3.0 for NG client devices, IMS and NGN and specifically for Mobile SOA - with mobile payments as an important service example. Aligning Payment SP's with Mobile Operators AuthN and Attributes - OpenSSO integrating with IMS/HSS and SIM/cert authN, plus JavaCard 3, and AuthZ based on Attributes (constraints and conditions XACML). With this trend of Keynote invites, I think I'll stick to 3 or 4 keynotes per year from 2010. There are 2 more tentative Keynote's lined up for 2010 already. I am honored with the recognition given for my work and books by these organizing bodies and humbled by the fantastic opportunities I've had working on key projects, topics and areas around Integrated Identity Infrastructure solutions, giving the experience and exposure to learn more and more (its a never ending story).. BTW: The SIM/JC 3.0 and ABAC/XACML is based on a POC and a potential project which will involve the LARGEST ever XACML based Policy Engine deployment in the World till date (300+ million subscribers, 5000+ policies, integration with RiskBAC and RoleBAC, etc.)..

Mobile - Connectivity & Context Convergence

2009-11-24T08:41:00.000-08:00

I am once again delighted to be giving a Keynote on "Mobile - Connectivity & Context Convergence" at MISC 2010 in London, covering the topic of Context Convergence (Attribute Aggregation) from a Mobile Operator perspective. As Wireless operators such as Verizon Wireless, AT&T, T-Mobile and Telus Mobility are investing in high speed wireless (4G networks), the mobile broadband connectivity (anywhere, any device paradigm) leads to the idea of reaching out to any service and any content from the mobile. However this also implies adhering to the pervasive set of policies and attribute alignment and aggregation -- for the next level of IN implementation- a convergence of MobileIN, NGIN, IN, AIN, InternetIN, IMS Attributes, Service Attributes, IPTV Attributes and more.. My presentation is on the 3rd book "Identity and Context" as well as 5 or more POC's that we are doing with Mobile Operators and Web2.0 companies (using OpenSSO)!! The agenda is packed with workshops, presentations, tutorials on - SAML, Federation, XACML and Attribute Exchange.

SIM, SmartCard, SCWS and SSO

2009-11-17T14:14:00.000-08:00

I was reminded of Ajit Jaokar's writeup from futuretext on SIM and SCWS and its implications for Carrier Cloud Computing, a while back, and the blog entry by Ramesh on JavaCard 3.0 which is a SIM and SCWS implementation in Java, when I saw the call for papers for SIMPosium 2010 by the SIM Alliance. It is indeed amazing to see how these synergies are taking shape for systemic security in the network:

We have had the opportunity to integrate OpenSSO with multiple NEP's IMS implementation of GBA and GAA (which leverage SIM and AKA)
Advances in JavaCard 3.0 with a SCWS allows for embedding PEP/PDP that pertains to devices at the device itself (supporting the Centralized. Co-located and Embedded XACML models in OpenSSO) - multiple ISV integration
Contextual Data exchanged by local PIP (policy information points) and federated (linked) PIP's via OpenSSO for 5 context areas (imagine the power of enforcing energy efficiency via sensors and XACML)
OpenSSO and its Services acting as the foundation set of Service for Mobile SOA, which can leverage SIM and SCWS
Integrating Web 2.0 and Web Services as compo-sable applications and services in a user centric and device agnostic manner

Giving a Guest Lecture at GMU

2009-10-24T08:15:00.000-07:00

As part of the coursework for ISA 562 - students have to do a XACML project (20% of grade). I am totally excited about being invited to give a guest lecture on XACML and ABAC to the 50+ students in this class. It is going to be fun!! I will also cover 5 sample XACML projects - one in Health Care, one in eGov, one in Edu, one in Telco and one in E-Biz. Plus 5 reference papers -one for each project.

Disclosure, Deception and Disruption

2009-10-24T08:01:00.000-07:00

The main textbook covered in the ISA 562 course is this excellent book written by Matt Bishop. In the very 1st chapter he covers the three main areas of security in terms of Confidentiality, Integrity & Availability (CIA) and how they are threatened by Disclosure (such as snooping, wiretapping, etc.), Deception (spoofing, masquerading, etc.) and Disruption (DOS attacks, Delay attacks, etc) - threat techniques. We have so far covered the 1st chapter, Access Control Matrix, Take-Grant Models, RBAC, XACML and other policy topics in class (+ 2 home works and one exam). This Book is a must for all Security Professionals (and course).

Insights into Innovations for Telco's

2009-10-22T13:55:00.000-07:00

Bhaskar Gorti delivering a Keynote & having a chat at OOW. Focusing on Comms, Media and Entertainment for more than a decade now, I like the idea of Identity, Policy, Context enabled (Communication embedded) Business Processes and Workflows - Context will drive a number of innovation Apps and Services from a Carrier Cloud!!

Federal Identity Interop and Initiatives

2009-10-19T08:43:00.000-07:00

Excellent Agenda at the Annual Smart Cards in Government event, to be held next week. Includes NIST, FIPS, ISO/IEC, Trust Levels in AuthN, Kantara, and many more.. Great opportunity if you are local!!

Attribute Authority Appliances

2009-10-15T12:51:00.000-07:00

The first part of this week I watched majority of the Oracle Open World Keynotes (including Larry Ellison, Scott Mcnealy, Thomas Kurian, S. Gopalkrishnan (CEO Infosys) and many others). There were a number of fantastic news:

Continued Commitment to Sun Technologies
World record TPC-C benchmarks on Oracle Sun/DB appliance
Communication enabled Business Processes
The 10 million dollar challenge
Oracle Enterprise Manager updates

This new DB appliance is directly relevant for many projects that are building Attribute Authorities (which augment AuthN and AuthZ Authorities in Federated Systems), for its superior performance and throughput achieved. Other than direct Identity Centric Attributes, there are many Industry Specific Attribute Authorities that need to federate Attributes (such as the mobile or telecom industry, enterprises in health care, finance, education, govt, etc., social networks and more..). We are working on multiple OpenSSO projects where the ID repository plug-in is used to connect to MySQL and Oracle Databases to federate appropriate attributes for the appropriate context (in conjunction with a XACML entitlement engine that enforces the respective policies). There is a whole set of amazing technology behind this appliance.

I also saw the demo of business processes that spanned HR, CRM, Supply Chain, wherein Identity enabled Communications was embedded into these services as part of the demo (which I thought was cool). Remember every call, connection and collaboration is made for a context.

Carrier Network & Corporate Network Context

2009-09-28T07:12:00.000-07:00

This perspective of adding ABAC (conditions and constraints) to an already implemented RBAC project is exactly what we are doing with an Enterprise (a large financial institution) that is taking it's home grown Industry specific applications (originally written for the client server model and later to the web) to the Mobile world with the help of a specific Wireless Carrier and Sun's Mobile Enterprise Platform. Existing RBAC implementation is augmented with ABAC (Aligning the Enterprise Context with the Mobility Context) so these mobile apps can now be delivered by adhering to the different policy domains (privacy policies, QOS policies and more) and leveraging the appropriate context.

RBAC0, RBAC1, RBAC2 & RBAC3

2009-09-28T05:25:00.001-07:00

Our last lecture at GMU was all about RBAC. I've always known that there were several iterations of RBAC from RBAC0 to RBAC3 -- with Role Hierarchy and Constraints, yet I got more clarity in terms of its developments after the lecture. RBAC0 was the base model, RBAC1 had role hierarchies and RBAC2 had constraints ( in parallel paths), RBAC3 combined both hierarchies and constraints together. It should be noted that XACML as an Attribute Based Access Control (ABAC) model also incorporates RBAC. We could have a RBAC based PDP within an Enterprise that gets its conditions and constraints (attributes) from a XACML PDP, unique to each authenticated session. Of course there is more to Role Management than just AC, it is intertwined with your business processes, IT processes, provisioning and more. We need the Cars, Trains and the Planes and Boats.. BTW: My good friend Babak from Axiomatic's emailed me about this webinar tomorrow.

Keeping a tab on my Keynotes and Key Patents

2009-09-11T18:46:00.000-07:00

I will revisit this blog entry as I make progress with new Keynotes and Patents (on behalf of Sun Microsystems). There are 2 more patent apps and 3/4 more keynotes planned (2010):

Patents:

Technology Architecture Patent (SOA, SAN, ACA, etc.)
Container Alignment Engine (ID&Attr driven Alignment)
App Infrastructure Sec Techniques (Aligned with IDS)
Correlated ID Context for Vertical Integration (Defensive Disclosure)

Keynotes:

ICEM2 -- Bangalore 2007 - International Conference on Embedded Mobile Communication and Computing. Title: "Identity and Security for NGN"
SOA Telecom -- Paris 2007 - Service Oriented Architecture for Telecom. Title: "ICA Aligning SOA and NGN"
IDTrust -- DC 2008 - OASIS Symposium on Identity and Trust. Title: "Identity and Policy for Security, Trust and Privacy"
NetID -- Berlin 2009 -- Identity, Trust, Privacy and Security in Europe. Title: "Identity and Context"
DIM -- Chicago 2009 -- ACM Digital Identity Management. Title: "Identity and Context for a Changing World"

Other Significant ones:

Open Group SOA -- Houston 2005 - Aligning Architectural Approaches (WS Incite Award)
Open Group IDM -- SFO 2005 - Identity enabled Network (Trailbalzer Award)
Open Group ADM -- Barcelona 2006 - Aligning ADM and ADDM (SEI Award)
OASIS ID Workshop -- London 2008 - Embedding ID Policy (Above & Beyond Award)
Liberty Alliance WC -- Web 2007 & 08 -- ID Sec and ID Policy (webcast audio)

ID Proofing, ID Verification & ID Credentialing

2009-09-11T16:41:00.000-07:00

Anakam is one of the OpenSSO and Sun IDM ISV partner who has integrated their Solution Set around proofing, vetting/verification, credentialing, etc., very relevant for a lot of eGov initiative (as part of the Registration and Provisioning processes involved in a project). A topic I will cover at the IDM event along with Badri Sriraman, Chief Architect & Development Manager, Identity & Credentialing, from Unisys, in a few weeks. Brent Williams (CTO) of Anakam will also present at the event.

Cheng on Client Context based Authentication

2009-09-11T15:08:00.001-07:00

It is one thing to support multiple Authentication Context (such as SmartCard and Mobile Contract) and another thing to support multiple AuthN types (such as Role based and Realm based). There could be rules that also take into account the client context information such as IP Address, IP Address ranges, private and public IP addresses, client environment (browser, iphone), device type and more. We are working on a POC that does exactly that for a customer who takes the client context into account for the authentication mechanism to use and respectively deliver post authN rules based content. Excellent writeup, very timely and useful by Cheng and team.

Ten Tremendous and Terrific Years

2009-09-10T19:03:00.000-07:00

I still remember the day I started at Sun 10 years ago in September 1999. Since starting at School in the Summer of 1990 to do my Masters at ODU, I had been working on Sparc Systems in the School Labs with what was known as SunOS. I was a hands on administrator fixing issues and managing a group of workstations. After graduating in 92 I landed up as a Systems Analyst (with limited programming work- perl, sed, awk, grep, etc), and then a Systems Administrator, later a DB Admin, and finally a Peoplesoft Architect, before joining Sun (approximately 2 years in each area- giving me the foundation to become a Systems/IT Architect). My boss in my previous job asked me -- if you had a choice of picking your Company, who would you go work for (since I landed up with my permanent residency and was about to complete the 4 year program/contract with them). Instantly my answer was Sun Microsystems, and voila I was part of the company with Ray Metzger as my 1st boss (in Sun PS). The very 1st day at Sun, I get a call asking me to book a flt that night to Las Vegas -- the Advanced Internet Practice (under Dan Berg) was having a group meeting and I was asked to join them (my 1st trip to Vegas). This was at the hotel Paris (which was just inaugurated that Summer). The 1st 4+ years at Sun PS was awesome. I had fun doing projects for Telco's in Cananda, US and Latin America (including Mexico, Argentina and Brazil). Around the end of 2002 I decided to specialize (from generic IT/Systems Architect) in Identity related projects - since we had just released the 1st Identity Server product (based on the Liberty Alliance specs that came out in 2001). This was based on my new boss then (Ron Schmidt) recommendations and what Dr. James Baty mentioned in a CETC/CEC event in 2002. Luckily I worked on a 6 month PS project for a Wireless Company in Seattle (that was migrating from Odyssey 1 to 2 - the name of the Architecture Initiative), with an Oblix implementation for IDS and a SOA as the Target Architecture (one phenomenal project ). That helped me transition to Software Sales and Services working on projects (POC, pilots and proto-types) primarily focusing on the NEP market (such as Nortel, Cisco, Moto, Ericsson and Siemens). This exposure resulted in a bunch of papers I wrote around "Identity enabled Networks" - which was compiled into the 1st book in 2006 (also supported by Shawn Malaney my boss then). Between 05 and 09 I also acted as the Technology Lead (1st Telco and then for OpenSSO) primarily capturing Market requirements and relaying them to product engineering (at CEC/SEC meetings in Santa Clara). Since 2004/05 I started working with many ISV's (Bonsai, Pronto, Openwave, etc.) and Sun Telco customers as well (such as Verizon, AT&T, Telus Mobility, etc.).. moving on to publish this series of books, and getting more industry exposure (working with TMF coop on SSO, ITU-FG on IDM for NGN, Liberty Alliance ID Assurance programs, and more). In ten years I've had 5 managers (that includes Ken English plus Dennis Mastin) and all 5 of them were true leaders!! fully supporting and encouraging individuals like me.

Amazing ride, a royal ride from Paris in Vegas the 1st week at Sun to Rio in Vegas (for DIDW 09 and Kantara) next week (sept 14th - which happens to me my B'day as well).

I love this Company for 5 things unique to Sun;

A company that is brimming with technology Innovation and encourages innovation from all
A company that has been an Industry Leader in terms of inventions (Java, Niagara, SunSpot, etc.)
A management that believes in Instrumenting a culture of team work and fearless courage
Colleagues who are genuinely interested in working towards solving customer problems
and Last but not the Least a Corporate Culture to Give and Volunteer

I will cherish this Award, the Sun PIN and the Mongoose Bicycle (recognition award).. Similar to the thousands of employees who have completed 10 or more years.. We all got a lot from this company -- a productive atmosphere, training, exposure to high profile projects, visibility, and a solid amount of experience!

Sun is Shaping a Sustainable Future

2009-09-10T18:15:00.000-07:00

I noticed this upcoming event on Corporate Culture and Ethics a few months back, a forum organized by IAHV (AOL sister organization) since I am a IAHV volunteer as well. As I'm completing 10 years at Sun Microsystems (next week), I nominated Sun Microsystem's (recently acquired by Oracle) & its chairman Scott McNealy - for their role played in corporate culture of volunteering and giving -- that has taken shape in the recent years based on a number of community programs that leverage Technology.

This culture is both top-down and bottom-up -- with support from Chairman of the company "Scott Mcnealy" and his pet project Curriki is an online environment created to support the development and free distribution of world-class educational materials to anyone who needs them, to many grass roots level folks such as Betsy Hansen and her work at horsepower along with many such volunteers. With an outstanding Business Conduct - Sun was named One of the Worlds most Ethical companies recently.

Sun's technology has been leveraged by many community based collaboration projects that aim to address issues and concerns around housing/shelter, education, transparency and more, such as; architecture for humanity a collaborative community based tool that helps design low cost homes for countries in Asia and Africa. This includes programs to address the world's hardest problems, including DATA (Debt, Aids, Trade, Africa), the ONE Campaign , Make Poverty History , Oxfam , Architecture for Humanity, and others.

Sun's worldwide volunteer week programs and digital divide programs have made tremendous impacts globally:
http://www.sun.com/aboutsun/foundation/init_employees.jsp
http://www.sun.com/aboutsun/foundation/volunteer_programs.jsp

Majority of the Sun employees and senior management I know are volunteering in one form or another -- especially since Sun as a Corporate entity works with its employees to pursue the goals of their choice -- one employee may be passionate about fighting cancer programs,
another about volunteering for digital divide, and so on -- and they may pursue those through their own community effort and with the support from Sun, Catalyzing the initiatives with their combined efforts..

As an employee who is completing 10 great years at Sun, and as Sun is celebrating 27 years - I wanted to share my experience and understanding of how Sun Creates this Culture of Volunteering --leveraging technology and community based tools. I got reminded about this today since I got an email about Sun's SAI!!

I hope Sun Microsystems as a corporate entity and Scott Mcnealy as the Chairman get to win this Award this year!! It will be a well deserved RECOGNITION!!

Sustained Spending on Sun Sparc and Solaris

2009-09-10T17:12:00.000-07:00

I spoke to a few large Sun Telco shops..about this Advt. This is very good news for them. Also watch out for Niagara 3 (16 core 16 thread per core = 256 cpu threads)!! Ideal processor for large scale Identity Providers (who handle federation, authN, policies and context).

Secure Span for SOA Security

2009-09-09T11:17:00.000-07:00

With the first cut of OpenSSO entitlement services released as part of an express release, one can easily see how existing implementations can leverage OpenSSO as a Policy Admin/Mgmt Point (PMP) and a PDP that integrates with multiple types of PEP's (such as run time policy enforcement engine from Layer 7) and other specialized PDP's. Very relevant for Cloud Computing Control. When everything eventually ends up in the clouds, IaaS, SaaS, PaaS, S(ec)aaS, and more -- policies in conjunction with attribute authorities aka PIP (SLA as well) becomes pervasive.