A Journal of
Identity Management


Help Wanted

Newsletter archive (Network World)

Dave Kearns 
on Identity

Simply the best, better than all the rest

Eight years ago I wrote, in reference to an organizations’ IdM portfolio: “Still, the argument will always rage as to whether it's better to purchase best of breed products from several vendors or a homogenous suite from a single vendor.” An argument may continue to rage – but it’s now a slightly different argument.


Join me, Ontario’s Privacy Commissioner Dr. Ann Cavoukian, McAfee Chief Privacy Officer Michelle Dennedy and a surprise guest for a webinar, “Privacy by Design” on January 26. Register here.


We still talk about Best of Breed, but it’s no longer in reference to single purpose apps or services. Now the argument is around which suite of products is the “Best of Breed.” But even that concept is on its way out, as I discovered at last year’s European Identity Conference. While collecting opinions from attendees, one told me “If there really could be an objective ‘Best of Breed’ then we'd only have one religion and one political party…”!

Of course, no vendor has a 100% complete IdM/IAM suite of products. Some may not even have all the ones you are interested in but have others you don’t need. So your first step is to find a suite that best meets your needs in terms of modules, connections – and price. Don’t forget to include the cost of implementation (consultants’ fees, hardware needs, etc.) and maintenance in the price estimate.

Once you’ve made your preliminary choice, discover what it will take to add the other pieces you need from other vendors. Consider how easily they can be integrated, what the upgrade process could be like, and – of course – price. If you do it right, you’re a hero. If not, well, best not to consider that outcome!

Coming up soon (from the IdM Events calendar):

Jan 17 IIW Satellite (Bethesda, MD)

Jan 26 Privacy by Design (webinar)

Feb 09 Bridging the Cloud Sign-On Gap (Webinar)

Feb 27 Biometrics Summit (Mimi, FL)

2011 in the Breach

Happy New Year! And, for some of us, it will be a happy one as personal triumphs punctuate what will probably continue to be less than happy news on the security front. Reviews of 2011 are – like reviews of 2010, 2009, 2008 and earlier years – downright gloomy in what they have to say about our ability to learn from past mistakes.

From the RSA breach in the spring to the STRATFOR data leak in December we saw that there’s nothing new under the sun – companies that should know better how to secure their data acted like the cobbler in the old story. Psychologists call it Cobbler’s Children Syndrome:

“In many organizations I have encountered during my consulting career, people have complained about "Cobbler's Children Syndrome". Like the proverbial children of the shoemaker who go without shoes, I have consulted to technology companies that have outdated computer systems, marketing firms that don't market themselves in any way, and consulting firms that fail to put into practice for themselves a single theory or model upon which they have built their businesses.” - Ben Dattner, Psychology Today

We can now add security vendors (RSA) and security analysts (STRATFOR) to the list of companies who simply won’t follow their own advice.

These two breaches, in fact, tell us most of what we need to know about protecting our data:

1.       Encrypt the data, the credentials and anything else you don’t want leaked (STRATFOR)

2.       Protect the encryption keys from insider as well as outsider attacks (RSA)

It really is that simple. But, evidently, it really is that hard to learn. I reality, this amounts to the same advice given to drivers when parking their cars: hide your valuables, lock your doors. Most people do that, but there’s always a few who don’t. And there are enough who don’t to keep the petty thieves in business. Just as there are enough enterprises who don’t protect their data enough to keep common criminals (or criminal states, as was evidently the case with the RSA breach) from hacking their information.

Perhaps it’s time to make corporate management responsible when data is breached, especially when it’s customer or client data. Perhaps a CEO or two should go to jail. Sarbanes-Oxley – with its strong penalties – drove the governance model, maybe we need a Sarbox for data protection.

Coming up soon (from the IdM Events calendar):

January 17 Internet Identity Workshop Satellite (Bethesda, MD)

February 9 Bridging the Cloud Sign-On Gap (Webinar)

February 27 Biometrics Summit (Mimi, FL)

©2011 by The Virtual Quill


Latest Headlines
Thursday, Nov 14Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (2)