I love hashtags, because I love twitter. So it was inevitable that hashtags would become a major part of one of my talks at some point. And as I get ready for another round at Defrag (one of the highlights of my year every year), I realized I never posted about the talk I gave at the 2015 Cloud Identity Summit in La Jolla. Work, you are killing me!
Kaspersky Labs has revealed this week that their corporate network was subject to a sophisticated cyber-intrusion that leveraged a new malware platform. Their investigation is ongoing, and they have found the malware to have been used against other victims as well. So while I am sure there are more details that they will reveal, I did have some instant reactions that I couldn’t fit into a tweet, so decided to gather them here:
It all started with a tweet I sent regarding the position on passwords and password managers that a member of Microsoft Research was taking in an NPR article (I’ll expand on my viewpoint in a later blog post). But one of the resulting responses I received sent me down a very interesting rabbit hole.
Identity is the key to a secure, agile, cloud-based world. Which means that managing and using identities has to be easy, seamless, inherent, cost-effective. Enabling that was the mission when I joined Identropy to build what would become SCUID. We believed that the future of identity management lay in the cloud, and required a fundamental rethink of the business of managing identities.
Ever since the Snowden revelations broke, there has been a lot of interest in metadata, with a lot of ink (or should that be bytes?) devoted to defining exactly what it is, where it can be gathered from, who is capable (and how) of doing said gathering, and most importantly of all, if it is even important enough to warrant all the discussion. Official statements of “We’re only collecting metadata” have attempted to downplay the significance and privacy implications of the metadata collection.
Another Cloud Identity Summit has come and gone, and even though it only happens once a year, the effect of being at “the top event on the identity calendar” (as Stephen Wilson puts it) always lingers. You leave trying to process all the great content and ideas you got exposed to, thinking about the wonderful conversations you had, and re-energized from hanging out with so many smart and talented individuals.
It would be pretty funny if the next ad for Apple’s iDevices touting TouchID happened to make the point using Google Glass (“In a world, where Glassholes are everywhere – behind you in line at Starbucks, sitting next to you on the BART, even lying in bed next to you – no passcode is safe!”). This article about the consumerization of shoulder surfing using Google Glass (and other wearables, to be fair) means that any kind of pin entry or pattern swiping can be captured, analyzed and figured out pretty quickly.
In developing SCUID, we’ve been taking a very deep look at how the very nature of online identity (mostly enterprise identity, but a lot of it extends equally well to the broader definition of online identity) is changing in terms of how it is managed and what it needs to support. And in addition to my own recent work (that I’ve been documenting on this blog and in my various talks), there has been a lot of interesting discussion on some fundamental rethinking of the construct of identity.
So, this wasn’t planned. But Slideshare, where I have been posting all of my talks, announced that they are discontinuing their excellent Slidecast feature. I’ve relied on that feature almost exclusively over the last few years for posting my slides along with their accompanying audio. Most of my presentations are highly visual, featuring imagery, humor and diagrams that make almost no sense without the accompanying audio to provide context.
In 2010, I gave a (in retrospect somewhat optimistic) talk at the Catalyst conference in which I described a pull-based architecture for account provisioning. SAML was a central part of that architecture, especially in supporting Just-In-Time (JIT) Provisioning, which I was sure was going to be important to the evolution of enterprise cloud applications.
Just back from about 10 days out of the country, so still catching up on everything, and will return to the topics from CIS and Catalyst shortly. But in the meantime, a little bit of nonsense.
For my 10,000th tweet, I wanted to do something funny that would celebrate just how much I love Twitter. And since one of the reasons I love it so much is my tweeps in the identity community (or Identirati (or Identerati)), I sent out this tweet:
I’m on my annual pilgrimage to the Gartner Catalyst conference in San Diego this week, and obviously one of the topics of interest has been standards. In his ‘Hitchhikers Guide to Identity’ talk (a blatant ripoff of mine!), Patrick talked about Standards being one of the pillars of the emerging Identiverse. And in the always entertaining ‘Identity Standards Smackdown’ that Ian Glazer moderates, SCIM and SAML tied as the “winners” (an obviously rigged result since Pam’s OpenID Connect was clearly superior.
Sounded simple enough. Join forces with Pam and Dale to put on a 3 hour workshop at the Cloud Identity Summit exploring all things identity management, each of us having a whole hour in which to dazzle the crowd. And with an awesome theme like the Hitchhikers Guide to help us keep it entertaining.
That is the position is set out to convince people of with my talk ‘IDaaS: The Now Big Thing‘ at this years Cloud Identity Summit. Even with the words ‘Cloud’ and ‘Identity’ in the name of the conference, and even with a fairly friendly crowd, I knew that this would be a somewhat daunting challenge.
Another Cloud Identity Summit is in the books, and it confirmed its status as one of the premier conferences for all things identity management. Andre and the Ping Identity team did a great job as always, and Napa was a great location (though connectivity did become an issue).
What happens when you take a bunch of technologists interested in identity, cloud computing, mobile and the evolution of IT and whisk them away to a resort in wine country? Well, we will get a chance to find out next week at the Cloud Identity Summit that is taking place in Napa, CA.
‘Tis the season to be hacked, I guess. Twitter joined a bunch of other companies in revealing that it was the target of a sophisticated attack that may have exposed the information for about 250,000 users.
I’m just now coming back to earth from the high I’ve been on since I came back from Vegas on Wednesday. And no, it has nothing to do with the usual things you’d associate with Sin City. I was in Vegas for our company’s bi-annual all-hands meeting. We’ve grown tremendously since I started at Identropy back in the summer of 2011, and there were a bunch of people I was meeting in person for the first time.
If you’ve been following Authentication related discussions, you know that a lot of the tactical focus is on adding additional authentication factors to the base username/password login mechanism as a way of making it more secure. This is particularly true in consumer facing applications, as brought into stark contrast by the Mat Honan hack episode. A cornerstone in this is the use of SMS delivered One Time Passwords (OTPs) as a just-in-time authentication factor.
Another year, and another Catalyst conference had come and gone. This one was very different. For one, the structure of the conference is very different from years past, focusing on thematic areas rather than topics of research. As such, there was no focused identity track, but rather a sprinkling of identity management topics throughout the various tracks. The track getting the most attention was definitely the mobility track, as everyone tries to figure out how to adapt to the growing move to mobile and mobile apps as the way that people interact with corporate resources and services.
Wired has the kind of article that will make all of us leading highly digitized lives (is that the right term?) wake up in a cold sweat. While the title – How Apple and Amazon Security Flaws Led to My Epic Hacking – may strike many as sensationalist, the article does a good job of showing just how the rappel ropes of our digital lives have mushroomed into a beast that we can’t manage or hardly ever understand the implications of.
There’s no two ways about it. This year’s Cloud Identity Summit was another incredible edition that brought together great content and really interesting discussions about the state and future of identity. It is definitely going to be fun watching the amazing community we have in identity use this conference as a platform to make a big impact on cloud identity and identity management in general.
It’s Cloud Identity Summit week, and it should be a blast. For one, it’s in beautiful Vail, CO – a place I’ve never been to. Secondly, you never know what will happen when you put all the identity oddballs in the same place, with no place to escape to.
In a post entitled “Freedom of Choice ≠ Your Choice of Captor“, Craig Burton has responded to the part of my previous post where I expressed skepticism about the “profound innovation” in the work Microsoft is doing.
Kim Cameron has a vision for where identity management is going, and he has started to lay it out in a series of blog posts, starting with this post on ‘Identity Management as a Service‘ (where he unfortunately reopened the IDaaS vs IDMaaS acronym debate).
What does it take to wake me from my blogging slumber? I guess it takes someone bashing Identity Management as a security technology that is deployed just for the sake of it.
In an article today on InfoWorld entitled ‘Killing the cloud with complexity‘, David Linthicum classifies Identity Management as a “trendy”, “newer” and “more expensive” security model in cloud deployments for which “there really is no requirement”. In his view, it just adds to the complexity of the deployment, helping to kill it. Makes your head spins, no?
RWW Enterprise just covered the latest update of PingFederate in an article titled It’s PingFederate 6.6 Versus “Identity as a Service”. I couldn’t pass up the opportunity to comment on some details that made me cringe, so naturally this blog post was born. Please note that this is not about PingFederate in specific, a product I have no in-depth knowledge of. It’s about identity concepts and architecture.
Time and time again, we hear from organizations that are struggling with the task of managing their IAM deployments. Budget overruns and unexpected expenses, the difficulty of finding and retaining IAM specialists, the inability of an overtaxed IT department to keep up with the constant adjustments and demands on the program – these are just some of the issues that keep program managers and CIOs up at night.
To all those claiming victory in the nymwars, hold on to your horses and read between the lines. Nothing that has been said indicates any kind of understanding from Google on the debate over use of pseudonyms.
It was an interesting weekend, to say the least. I’ve never had to prepare for a hurricane before, so going through the exercise was a revelation in so many ways. You discover what you consider really “valuable” (like when I actually packed my external hard drive that has 10 years worth of digital images and home videos alongside our passports and insurance policies, despite it being backed up online). You also discover how much stuff you have just lying around to clean up.
The “Real Names” debate has been fascinating to watch, because it such an intriguing melange of issues – social conventions, technical requirements, best practices, community responsibility – rolled into what would on the surface seem to be a very simple problem. After all, what we’re really talking about is what value to let people put (self assert) into the name field that is used prominently in social sites.
At theCloud Identity Summit last week, one thing was patently obvious – the agenda was filled with super interesting talks from very talented speakers. So given that I was talking about the riveting (not!) topic of user provisioning, I knew I had to pique peoples curiosity to draw them in.
As I posted on Friday, I decided it was time to close the chapter on my career at Thoracle (by the way, the positive wishes in response from all of you has been quite gratifying). But it wasn’t without knowing what the next chapter was going to bring.
Today is my last day at Oracle, ending an era of my life that began over 10 years ago at Thor Technologies. Back then, I had no idea about the scope of the journey I was embarking on. I had no idea I was entering a space that was going to become so hot and scrutinized, alternating between being loved and hated (with a passion). They didn’t even call it “identity management” back then.
Mike Neuenschwander has dubbed July as Identity Conference Month. And he should know, given that so many of his signature moments were on stage at the Catalyst conference that will be returning at the end of this month (July 26-29 in San Diego).