A Journal of
Identity Management


Help Wanted

Newsletter archive (Network World)

Dave Kearns 
on Identity

Simply the best, better than all the rest

Eight years ago I wrote, in reference to an organizations’ IdM portfolio: “Still, the argument will always rage as to whether it's better to purchase best of breed products from several vendors or a homogenous suite from a single vendor.” An argument may continue to rage – but it’s now a slightly different argument.


Join me, Ontario’s Privacy Commissioner Dr. Ann Cavoukian, McAfee Chief Privacy Officer Michelle Dennedy and a surprise guest for a webinar, “Privacy by Design” on January 26. Register here.


We still talk about Best of Breed, but it’s no longer in reference to single purpose apps or services. Now the argument is around which suite of products is the “Best of Breed.” But even that concept is on its way out, as I discovered at last year’s European Identity Conference. While collecting opinions from attendees, one told me “If there really could be an objective ‘Best of Breed’ then we'd only have one religion and one political party…”!

Of course, no vendor has a 100% complete IdM/IAM suite of products. Some may not even have all the ones you are interested in but have others you don’t need. So your first step is to find a suite that best meets your needs in terms of modules, connections – and price. Don’t forget to include the cost of implementation (consultants’ fees, hardware needs, etc.) and maintenance in the price estimate.

Once you’ve made your preliminary choice, discover what it will take to add the other pieces you need from other vendors. Consider how easily they can be integrated, what the upgrade process could be like, and – of course – price. If you do it right, you’re a hero. If not, well, best not to consider that outcome!

Coming up soon (from the IdM Events calendar):

Jan 17 IIW Satellite (Bethesda, MD)

Jan 26 Privacy by Design (webinar)

Feb 09 Bridging the Cloud Sign-On Gap (Webinar)

Feb 27 Biometrics Summit (Mimi, FL)

2011 in the Breach

Happy New Year! And, for some of us, it will be a happy one as personal triumphs punctuate what will probably continue to be less than happy news on the security front. Reviews of 2011 are – like reviews of 2010, 2009, 2008 and earlier years – downright gloomy in what they have to say about our ability to learn from past mistakes.

From the RSA breach in the spring to the STRATFOR data leak in December we saw that there’s nothing new under the sun – companies that should know better how to secure their data acted like the cobbler in the old story. Psychologists call it Cobbler’s Children Syndrome:

“In many organizations I have encountered during my consulting career, people have complained about "Cobbler's Children Syndrome". Like the proverbial children of the shoemaker who go without shoes, I have consulted to technology companies that have outdated computer systems, marketing firms that don't market themselves in any way, and consulting firms that fail to put into practice for themselves a single theory or model upon which they have built their businesses.” - Ben Dattner, Psychology Today

We can now add security vendors (RSA) and security analysts (STRATFOR) to the list of companies who simply won’t follow their own advice.

These two breaches, in fact, tell us most of what we need to know about protecting our data:

1.       Encrypt the data, the credentials and anything else you don’t want leaked (STRATFOR)

2.       Protect the encryption keys from insider as well as outsider attacks (RSA)

It really is that simple. But, evidently, it really is that hard to learn. I reality, this amounts to the same advice given to drivers when parking their cars: hide your valuables, lock your doors. Most people do that, but there’s always a few who don’t. And there are enough who don’t to keep the petty thieves in business. Just as there are enough enterprises who don’t protect their data enough to keep common criminals (or criminal states, as was evidently the case with the RSA breach) from hacking their information.

Perhaps it’s time to make corporate management responsible when data is breached, especially when it’s customer or client data. Perhaps a CEO or two should go to jail. Sarbanes-Oxley – with its strong penalties – drove the governance model, maybe we need a Sarbox for data protection.

Coming up soon (from the IdM Events calendar):

January 17 Internet Identity Workshop Satellite (Bethesda, MD)

February 9 Bridging the Cloud Sign-On Gap (Webinar)

February 27 Biometrics Summit (Mimi, FL)

©2011 by The Virtual Quill


Latest Headlines
Thursday, Jun 24

How to protect online transactions
Julie Sartain, Network World
New federal guidelines, which took effect last month, recommend multiple layers of security controls beyond the traditional username/password, particularly out-of-band authentication methods. more

Resellers See IDM as Security Woes Solution
Larry Walsh, Channelnomics
Identity management remains one of those heady security solutions only accessible by large enterprises because of its complexity and cost. However, the need for better security and the value in managing identity to control risks is finding its way deeper into the market, particularly through the channel, according to SafeNet. more

Yubico and SSO Easy Make Single Sign-On With Two-Factor Authentication Easier
Strong two-factor authentication is vital for securing access to SAML-based single sign-on servers and mission-critical applications with sensitive information. more

Hackers may be able to outwit online banking security devices
John Leyden, The Register
An investigation by BBC Click underlines possible shortcomings in the extra security provided by banking authentication devices such as PINSentry from Barclays and SecureKey from HSBC. more

Yubico, CloudPassage partner for cloud server authentication
With YubiKey and Halo GhostPorts, systems administrators can temporarily open up a server management port for designated administrators. more

Accessible Archives Announces Shibboleth Compliance
PR Newswire
The Shibboleth System is a standards based, open source software package, rapidly growing in popularity. It provides web-based single sign-on across or within organizational boundaries. more

Quest Software Announces Speakers for The Experts Conference 2012
Business Wire
The 11th annual technology conference, which is presented by Quest and Microsoft, will be held at the Marriott Marquis & Marina in San Diego, April 29-May 2. TEC offers world-class, 400-level training on Microsoft Identity and Access, Exchange Server, SharePoint, PowerShell, and Virtualization and User Workspace Management technologies for the most experienced IT pros in the world. more

Optical transaction signing device limits ebanking fraud
Help Net Security
The device uses an optical sensor to read financial transaction data from a Web browser, generating a unique electronic signature that validates each transaction, reducing threats such as Man-in-the-Browser (MitB) and Man-in-the-Middle (MitM), in which hackers hijack legitimate user identities during a transaction and redirect funds. more

U.S. Rep outlines online security bill
Anthony Vasquez, The Stanford Daily
House Bill H.R. 3523, called the Cyber Intelligence Sharing and Protection Act of 2011, would require the Director of National Intelligence to create a way for the government to share information about online threats with private companies. more

YubiKey Supports Password Tote for Increased Identity Protection and Online Password Management
Market Wire
Password Tote is an online consumer password manager that assists in the storing of secure passwords. Password Tote eliminates the worry of losing or forgetting a login password for online services and all passwords are stored in one secure location. more

MaxMind and TeleSign Partner to Provide Best-in-Class Multilayer Fraud Prevention
The combination of MaxMind's geolocation and minFraud fraud-risk scoring services and TeleSign Telephone Verification and PhoneID delivers a best-in-breed alliance for fighting against a wide variety of fraud. more

Why Password Security Lives On
Nick Clayton, Wall Street Journal
There appears to have been little research into why password security has remained so popular. It is. perhaps, hard to challenge the orthodoxy which is a replacement is just around the corner and soon users will no longer have to remember strings of letters, digits and symbols in order to access services. more

Two-factor authentication isn't enough
Pat Carroll
As cyber attacks become more complex and intelligent, and as we move towards an increasingly mobile society, two-factor authentication is no longer enough because sophisticated fraud simply leverages the authentication process. more

Jericho founder: Get involved in plan for protecting identity online
Ron Condon, UK Bureau Chief, Search Security
Paul Simmonds, a founding member of the Jericho Forum, which is now part of The Open Group, is calling for European organisations to get actively involved in providing input to the US-based National Strategy for Trusted Identities in Cyberspace (NSTIC), a project with the goal of protecting identity online. more

Sykipot Malware Now Steals Smart-Card Credentials
Kelly Jackson Higgins Dark Reading
New variant of malware used by advanced persistent threat (APT) actors out of China challenges DoD, other organizations' two-factor authentication more

Identity Versus Authentication
Taher Elgamal Dark Reading
Authentication, on the other hand, is the act of proving to the online service that someone is the owner of that account. more

CallCopy Helping Companies Comply With PCI DSS v2.0 Standards
To give its customers added assurance around the new standards, CallCopy recently engaged Coalfire Systems, Inc. (Coalfire), a respected PCI Qualified Security Assessor (QSA) company, to conduct an independent technical assessment of its cc: Discover workforce optimization suite. Results of the audit are expected in early 2012. more

Thoughts on SCIM
But will SCIM be accepted where SPML was not? I don't know, but I think there is a decent chance. more

SailPoint Posts 100% Annual Growth and Market Momentum in 2011
Company Positioned as a Leader in the Identity and Access Governance Magic Quadrant more

SecureAuth IEP Achieves 5 Star Rating in SC Magazine's Multifactor Group Test
The reviewers also verified the importance of SecureAuth's SAML Portal-in-Box, included at no charge, with the SecureAuth Identity Enforcement Platform. more

Federated identity continues to dominate TV Everywhere access, study shows
John Fontana
The Diffusion Group (TDG), a digital media analyst and market strategy firm, says by 2016 most consumers will subscribe with a content distributor, what TDG calls can Operator, to access TV Everywhere services as opposed to directly contracting with content providers. The model involves content programmers (channels such as HBO), content distributors (cable or other PayTV service providers) and end-users more

IBM software eases role-based security operations
Ellen Messmer, Network World
The tool is able to actively poll a wide range of databases and directories, such as Microsoft Active Directory, Oracle, Siebel and SAP, that are used to store information about employees, their jobs and current access privileges, says Marc van Zadelhoff, vice president of strategy and product management at IBM Security Systems. more

SCIM, PEX and what the parrot saw
Jackson Shaw
Everyone involved in the invention of SCIM deserves credit. But, we need some plumbers and contractors to start using it in anger. The fact of the matter is until we get more plumbers and contractors using SCIM we are looking at a long uptake cycle unfortunately. more

SOPA lining up to poison identity federations, expert says
john fontana
The government has committed multi-millions to helping the private sector build an identity layer for the Internet. But one analyst says either the Stop Online Piracy Act (SOPA) and the Protect IP Act (PIPA) could result in one government action rendering another moot and bungling the promise of secure IDs. more

Symplified Surpasses 3 Million Users in 2011 as Cloud Usage Soars
Market Share Leader Triples Licensed Users as Demand for Cloud Identity and Access Management Service Takes Off more

© Copyright 2003 - 2009, The Virtual Quill