tag:blogger.com,1999:blog-369300682023-06-12T19:40:16.242+10:00Ian Yip's Security and Identity Thought StreamIdentity, Access, Security, Cloud, Mobility...Ianhttp://www.blogger.com/profile/07620054411151781462noreply@blogger.comBlogger220125tag:blogger.com,1999:blog-36930068.post-21581353195412775392020-12-06T10:45:00.047+11:002020-12-06T19:16:31.613+11:00Retiring this blog<p><br /></p><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><a href="https://1.bp.blogspot.com/-bIiQXs6nZIE/X8ySQaTG-BI/AAAAAAAAAu8/SuqITT6GqB4KmoJTVK657J0aDNe1JIubwCLcBGAsYHQ/s1920/ethan-ou-4hn-2dTm1yU-unsplash.jpg" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="1080" data-original-width="1920" height="225" src="https://1.bp.blogspot.com/-bIiQXs6nZIE/X8ySQaTG-BI/AAAAAAAAAu8/SuqITT6GqB4KmoJTVK657J0aDNe1JIubwCLcBGAsYHQ/w400-h225/ethan-ou-4hn-2dTm1yU-unsplash.jpg" width="400" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;"><span style="text-align: start;">Photo by <a href="https://unsplash.com/@ethan520?utm_source=unsplash&utm_medium=referral&utm_content=creditCopyText">Ethan Ou</a> on <a href="https://unsplash.com/s/photos/dusk?utm_source=unsplash&utm_medium=referral&utm_content=creditCopyText">Unsplash</a></span></td></tr></tbody></table><p>This is being written a few years too late. Then again, I don't think too many people read blogs like this the way we all used to.</p><p>It's been a great run here on this blog. As time has moved on, so has the way people consume information, and my area of focus. While I do still get involved with Identity & Access Management (IAM) matters, it's only a portion of what I spend time doing.</p><p>So I'm leaving all my previous posts here for posterity, and am officially retiring this blog.</p><p>The starting of this blog actually coincided with my move from Sydney to London. As an indirect result, the best part of blogging here has been getting to know the other people in the IAM blogosphere all over the world, from Europe, where I was based and most prolific in my writing, across to North America. I even got to meet and interview the then President of Oracle, <a href="https://www.linkedin.com/in/charlesphillips1/" target="_blank">Charles Phillips</a>.</p><p>Blogging gave me access to speak with people internationally for professional reasons, which was not something I had before being just a few years into my infosec career and having my community be very localised to Sydney, Australia.</p><p>Thank you to all the other bloggers I've had the privilege of interacting with over the years, and to all of you for reading and commenting.</p><p>Nowadays, you can still find me writing on a multitude of different platforms including <a href="https://linkedin.com/in/ianyip" target="_blank">LinkedIn</a>, <a href="https://ianyip.medium.com" target="_blank">Medium</a>, and other official media publications.</p><p>For the most updated set of links to where I may be posting things, check out <a href="http://ianyip.com" target="_blank">ianyip.com</a> or follow me on my social media accounts (<a href="https://linkedin.com/in/ianyip" target="_blank">LinkedIn</a>, <a href="https://twitter.com/ianyip" target="_blank">Twitter</a>).</p>Ianhttp://www.blogger.com/profile/07620054411151781462noreply@blogger.com0tag:blogger.com,1999:blog-36930068.post-79855921018745419972015-07-30T23:29:00.000+10:002015-07-30T23:31:36.796+10:00Invisible Identity<div dir="ltr" style="text-align: left;" trbidi="on">
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://www.flickr.com/photos/mikeshaheenphotography/9411777377" style="margin-left: auto; margin-right: auto;" title="My Name Was Michael & The Rest Is History by Michael Shaheen, on Flickr"><img alt="My Name Was Michael & The Rest Is History" height="400" src="https://c4.staticflickr.com/4/3811/9411777377_a19980f1d0.jpg" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Photo source: Michael Shaheen - My Name Was Michael & The Rest Is History</td></tr>
</tbody></table>
In my <a href="http://blog.ianyip.com/2015/05/identity-needs-to-disappear.html" target="_blank">previous post</a>, I promised to explain the following:<br />
<blockquote>
<b>Organisations should care about identity so they can stop caring about it. Identity needs to disappear, but only from sight; it needs to be invisible.
</b></blockquote>
If you've been to any of Disney's theme parks recently, you may have noticed they now have something called the MagicBand. It <a href="http://www.wired.com/2015/03/disney-magicband" target="_blank">cost them a lot of money</a>. Disney calls it "magic". The technology powering the MagicBand infrastructure was complicated to build, but they've done it and have the <a href="http://www.latimes.com/business/la-fi-attendance-at-disney-parks-up-7-review-of-magic-bracelet-strong-20150203-story.html" target="_blank">increased revenue to show for it</a>. They've also managed to turn what is effectively a security device into a new revenue stream by making people pay for them, including charging a premium for versions that have Disney characters on them.<br />
<br />
While it does many things, arguably the key benefit of the MagicBand is in delighting Disney's customers by providing seamless, friction-less, surprising experiences without being creepy. For example, when you walk up to a restaurant, you can be greeted by name. You will then be told to take a seat anywhere. Shortly after, your pre-ordered meal will be brought to you wherever you chose to sit, just like magic. If you understand technology, you can inherently figure out how this might work. But the key in all this is the trust that the consumer places in the company. Without the trust, Disney steps over the "creepy" line.<br />
<br />
How does Disney ensure trust? Through security of course. Sure, the brand plays a part, but we've all lost trust in a supposedly trusted brand before because they screwed up their security.<br />
<br />
The key pieces of that security? Identity proofing, authentication, access control and privacy, none of which is possible without a functional, secure identity layer.<br />
<br />
Conveniently (for me), <a href="http://twitter.com/iglazer" target="_blank">Ian Glazer</a> recently delivered 2 presentations that go into a little more depth around the points I'd otherwise have to laboriously make:<br />
<br />
<ol style="text-align: left;">
<li><a href="https://www.tuesdaynight.org/2015/05/28/stop-treating-your-customers-like-your-employees.html" target="_blank">Stop treating your customers like your employees</a></li>
<li><a href="https://www.tuesdaynight.org/2015/06/09/identity_is_having_its_tcpip_moment.html" target="_blank">Identity is having its TCP/IP Moment</a></li>
</ol>
If you have some time, do yourself and favour and follow those links - you might just learn something :)<br />
<br />
What Disney has managed to achieve within their closed walls is exactly what every organisation trying to do something with omni-channel and wearables would like to achieve. Disney is a poster child for what is possible through an identity-enabled platform, particularly in bringing value to the business through increased revenue and customer satisfaction. Identity truly is the enabler for Disney's MagicBand.<br />
<br />
The reason it works is because no one notices the identity layer. Not every organisation will be able to achieve everything Disney has managed, but even going part of the way is worth the effort. Only by ensuring the identity layer is there, can you really make it invisible.<br />
<br />
<b>Until people stop noticing the identity layer, you need to keep working on it</b>. Only then will the business see the full potential and value that identity brings to increasing revenue.</div>
Ianhttp://www.blogger.com/profile/07620054411151781462noreply@blogger.com0tag:blogger.com,1999:blog-36930068.post-89741305555512657432015-05-28T21:25:00.000+10:002015-07-30T23:31:23.507+10:00Identity needs to disappear<div dir="ltr" style="text-align: left;" trbidi="on">
<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://www.flickr.com/photos/paulchapmanphotos/12368426343" style="margin-left: auto; margin-right: auto;" target="_blank" title="The disappearing machine by Paul Chapman, on Flickr"><img alt="The disappearing machine" height="235" src="https://c2.staticflickr.com/6/5547/12368426343_a442872284.jpg" title="" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Photo source: Paul Chapman - The disappearing machine</td></tr>
</tbody></table>
In recent years, security vendors, including ones that don't sell Identity & Access Management (IAM) products, have been pontificating about how identity needs to be the focus for all things security. They (my current and previous employers included) continue to be <i>on-message</i>, each beating everyone to death with their own version; identity-centric-security, identity-powered-security, identity-defined-security, identity-is-the-perimeter, identity-is-the-foundation, identity-is-the-intelligence, and on and on.<br />
<br />
Yeah, we get it. Identity is VERY important. Enough already.<br />
<br />
The problem with rolling out the same message for years is that people stop listening. It's like the age old line in press releases: "the market leader in"; sure you and every other vendor out there. The <i>market leader</i>. Yeah, right.<br />
<br />
Ok, so I'm being a little cynical. But the fact that as an industry, we've had to go all <i>broken-record</i> on this means:<br />
<ol style="text-align: left;">
<li>We've not been very effective in explaining what we mean. AND/OR</li>
<li>No one gives a crap.</li>
</ol>
The truth is probably a combination of the two.<br />
<br />
From the 10,000 foot marketing message, we have a habit of diving too deep too quickly, skipping the middle ground and heading straight into explaining, debating and architecting how everything needs to hang together. For example: "You need to federate between the identity provider and service providers using standards like SAML, OAuth or OpenID while maintaining a translatable credential that can be trusted between partner domains. Which OAuth do you mean? 1.0? 2.0? Can't we just go with OpenID Connect? Doesn't that cover the use cases? We're effectively supporting OAuth right?"<br />
<br />
Errr, yeah. Sure. Hey, architect person, I'm not entirely sure what all that means, but we do that, right? And why do we do that again?<br />
<br />
We often explain the "why should we care" answer by saying "you need security because you do, and identity is the key". And therein lies the problem. The "why should we care" question is difficult to answer in a meaningful, tangible way.<br />
<br />
In addition, the reasons tied purely to security and risk no longer resonate. It's arguable that they ever did at all, but we could always pull out the audit, risk and compliance stick to metaphorically beat people with (oops, did I say that out loud).<br />
<br />
Today, we often pull out the <i>data-loss</i> card. But we can do better:<br />
<blockquote>
<b>Organisations should care about identity so they can stop caring about it. Identity needs to disappear, but only from sight; it needs to be <i>invisible</i>.
</b></blockquote>
I'll explain in the next post.<br />
<br />
<i>Update: The <a href="http://blog.ianyip.com/2015/07/invisible-identity.html" target="_blank">next post</a> is up.</i><br />
<br /></div>
</div>
Ianhttp://www.blogger.com/profile/07620054411151781462noreply@blogger.com2tag:blogger.com,1999:blog-36930068.post-43823427680622584942014-09-15T20:07:00.000+10:002014-09-15T23:29:26.805+10:00Hey security managers, go hire some marketing people for your team<div dir="ltr" style="text-align: left;" trbidi="on">
This is not a plea for organisations to start actively hiring people away from vendor product marketing teams. But if you want to look for people to point the finger at and explain why you aren't getting the budget required to actually secure your environment, product marketing is a good place to start.<br />
<br />
There were 2 key messages attendees should have taken away from the <a href="http://www.gartner.com/technology/summits/apac/security/" target="_blank">Gartner Security & Risk Management Summit</a> in Sydney a few weeks ago:<br />
<ol style="text-align: left;">
<li>Security priorities tend to be set based on the threat du jour and audit findings.</li>
<li>Security teams need to get better at marketing.</li>
</ol>
Here's the problem:<br />
<ol style="text-align: left;">
<li>Sensationalist headlines sell stories, which attracts more advertisers. This means the threat du jour will get the most airtime.</li>
<li>People who hold the keys to budgets read headlines, which perpetuates the problem.</li>
<li>Product marketing teams know this. So, to get more inbound traffic to their websites, the content creation and PR teams craft "stories" and "messages" around the threat du jour.</li>
<li>Publications notice that vendor messages are in line with their stories, which fuels the hype.</li>
</ol>
<b>It's like how seeing something on fire makes us think about checking whether our insurance covers fire damage. Meanwhile, the front gate's been broken for the past week but we've left it alone because no one's stolen anything from the house yet.</b><br />
<br />
How can an internal marketing campaign driven by the security team help? You won't be able to stop the hype that builds up around the threat du jour. But as an internal team, you <i>should</i> know what the organisation you work for really cares about in business terms. Take audit findings as an example. While rather boring, translate audit findings into tangible, financial implications for the business and you suddenly have something worth talking about as an overall program instead of a checkbox to tick (which is unfortunately how a lot of internal security budgets get signed off).<br />
<br />
As a starting point, take a look at my <a href="http://bit.ly/1n16hoj" target="_blank">tongue-in-cheek post about contributed articles</a>. While laced with sarcasm, the structure of my "meaningless contributed article" template works (because it's a structure many are subconsciously used to) if the content holds up. Ensure you have the following points covered:<br />
<ul style="text-align: left;">
<li>Detail the industry trends that are affecting the organisation.</li>
<li>What are independent sources (both internally and externally) saying about them?</li>
<li>Why should the business care (don't use technical terms)?</li>
<li>Outline some meaningful metrics (an interesting metric does not necessarily mean it's useful - ask yourself if anyone in the organisation will care).</li>
<li>What does it mean in financial terms for the business if something is not done?</li>
<li>What have other organisations done to solve the problem?</li>
<li>What are the steps the organisation you work for need to take and what are the benefits (again, don't use technical terms)?</li>
</ul>
The mistake many of us make is in thinking marketing is easy; it's not. And it takes good marketing to sell security internally. Crafting an article can help hone in on what really matters and justify budget allocation, which makes it easier to ignore the noise.<br />
<br />
Great marketing focuses on what matters by simplifying the messages and communicating the value, be it emotional or financial. This is what most security teams do not know how to do, which is why budgets are not allocated to fix that lock on the front gate. Instead, budgets are spent on fire insurance.<br />
<div>
<br />
I know this is ironic coming from me as I work for a security vendor. But if security teams hired marketers to communicate the things that matter to an organisation's security instead of the threat du jour, we as an industry will benefit from it.<br />
<br />
As an aside, ever notice how many security companies have the word "fire" in their name?</div>
</div>
Ianhttp://www.blogger.com/profile/07620054411151781462noreply@blogger.com1tag:blogger.com,1999:blog-36930068.post-34021263724812691782014-08-29T14:55:00.000+10:002014-08-29T14:55:15.626+10:00How to spot a meaningless contributed article<div dir="ltr" style="text-align: left;" trbidi="on">
What is a contributed article? They're the ones where the author works for a vendor or solution provider and not the publication. In other words, their day job is not as a journalist. I'm speaking from first hand experience as I've <a href="http://ianyip.com/#media" target="_blank">written a number</a> for various publications and understand the process.<br />
<br />
Contributed articles do not typically involve any form of payment. When they do, reputable publications will disclose this fact. More commonly, they are freely given to a publication based on a brief that was provided. For example, a publication may say they are interested in a contributed article about a new smartphone's features and the implications on digital security. A vendor's marketing and public relations team will then work with a subject matter expert (SME) on crafting such an article for submission. Of course, if the SME isn't really one, then nothing will save the article.<br />
<br />
Naturally, the process results in content of varying quality. The worst ones are typically not written by the individual, but ghost-written by someone else (usually without sufficient domain expertise). The vendor spokesperson/SME simply gets the byline. These end up sounding generic and the reader learns nothing.<br />
<br />
More commonly, the resulting article is an equal and collaborative effort between everyone involved. While this is marginally better, it still sounds unauthentic, somewhat generic and provides little value. Why? They keyword here is "equal". The SME needs to be the main contributor instead of simply providing their equal share of input.<br />
<br />
The best contributed articles are the ones written by someone:<br />
<ol style="text-align: left;">
<li>With the necessary domain expertise.</li>
<li>That knows how to write.</li>
<li>That has the time to do it.</li>
<li>Willing to allow an editor/reviewer to run their virtual red pens through it without getting offended.</li>
<li>That is not blatantly trying to sell something.</li>
</ol>
Unfortunately, contributed articles tend to be mediocre or just terrible and that is a real shame, because there are lots of really smart people that could produce great content (with some help and editing) if they weren't under corporate pressure to be 100% "on message". The art of course, is to be "on message" subtly while still being able to contribute to the conversation in a meaningful way.<br />
<br />
So how do you spot a meaningless contributed article? They usually look like this...<br />
<blockquote>
<h3 style="text-align: left;">
<span style="color: #666666;"><i>Meaningless headline that was put here for click-baiting purposes</i></span></h3>
<span style="color: #666666;"><i>You know that issue that's been in the news this week? And that other bit of similar news from last week? Oh, and those other countless ones from the past few months? They're only going to get worse because of buzzword 1, buzzword 2 and buzzword 3. Oh, don't forget about buzzword 4.</i></span><br />
<span style="color: #666666;"><i><br /></i></span>
<span style="color: #666666;"><i>That large analyst firm, their biggest competitor and that other one that tries really hard to be heard all agree. Here's some meaningless statistic and a bunch of percentages from these analyst firms that prove what I'm saying in the previous paragraph is right. I'm adding some independent viewpoints here people, so it's not just about what I'm saying, even though it is.</i></span><br />
<span style="color: #666666;"><i><br /></i></span>
<span style="color: #666666;"><i>So what to do about all this? You should be really worried about solving the problem you may or may not have had but now that I've pointed it out, you definitely have it. You aren't sure? Well, then listen to this.</i></span><br />
<span style="color: #666666;"><i><br /></i></span>
<span style="color: #666666;"><i>Here's an anecdote I may or may not have made up about some organisation that shall remain nameless but is in a relevant industry relating to what I'm trying to sell you, oh wait, that I'm providing advice on because you've got this really big issue that you're trying to solve but just don't know you need to solve it yet but will do once you've read this.</i></span><br />
<span style="color: #666666;"><i><br /></i></span>
<span style="color: #666666;"><i>So how do you solve your problem? Well, the company I work for happens to have a solution for this problem that you've now got. I won't be so blatant as to tell you this, but you will no doubt look me or my company up that search engine thing and see what we do and put it all together and then contact our sales team who will then sell it to you so I can get paid.</i></span><br />
<span style="color: #666666;"><i><br /></i></span>
<span style="color: #666666;"><i>Here is another anecdote I may or may not have made up about how an organisation has solved the issues I've so clearly laid out for you that can so easily be solved, as shown by this very real (or fictitious, nameless) organisation.</i></span><br />
<span style="color: #666666;"><i><br /></i></span>
<span style="color: #666666;"><i>My word-limit is almost up so I'll tell you what I've already told you but just in a slightly different way. In conclusion, you're screwed unless you solve this really generic issue with the silver bullet that organisation x used. So, buy my stuff</i>.</span></blockquote>
I'm not saying every article with these characteristics is terrible. But very often, the "I have a hammer to sell, so everything is a nail" articles are structured this way. They are generic and leave the reader with the feeling that they just read a bunch of random words. I for one, stop reading an article when it starts to smell like this.<br />
<br />
<b>Note:</b><br />
For the record, I NEVER allowed my articles to be ghost-written, much to the frustration of the people managing the whole process. The problem this introduced was that content could not be churned out as quickly because I became the bottleneck. I wouldn't even agree to have someone else start the article for me. I had to start it from scratch and have final approval on it (once my drafts were run past a set of editors and reviewers of course). This made for more authentic, balanced content while still maintaining some level of being "on message", which kept marketing happy.</div>
Ianhttp://www.blogger.com/profile/07620054411151781462noreply@blogger.com0tag:blogger.com,1999:blog-36930068.post-78018610673638568942014-04-06T14:05:00.001+10:002014-04-06T14:05:58.003+10:00Doing business in Asia: five etiquette tips<div dir="ltr" style="text-align: left;" trbidi="on">
I contributed a piece in Australian BRW late last month that had nothing to do with IT Security, but I thought this may be of interest to those of you out there new to doing business with Asia and would like somewhere to start.<br />
<br />
It's quite general, but large mainstream publications want content that will appeal to the masses, not niche pieces that few people will care about. So, if you're an expert on Asia, none of what I've written will be new.<br />
<br />
Here's a teaser:
<br />
<blockquote>
"Business etiquette in western countries is similar enough that we get away with most things. The little quirks are normally overlooked or forgiven, using the “not from around here” explanation. Asia however, is a slightly different animal."</blockquote>
Check out the <a href="http://bit.ly/PvM9QX" target="_blank">full article on BRW.</a> </div>
Ianhttp://www.blogger.com/profile/07620054411151781462noreply@blogger.com0tag:blogger.com,1999:blog-36930068.post-47151824531519052052014-03-17T16:57:00.000+11:002014-03-17T18:22:43.045+11:00RSA Conference 2014 redux<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-U3J7DWGQhag/Ux0pyPyxPyI/AAAAAAAAAnA/otuSbiKf8mk/s1600/IY-RSAC2014.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-U3J7DWGQhag/Ux0pyPyxPyI/AAAAAAAAAnA/otuSbiKf8mk/s1600/IY-RSAC2014.jpg" height="300" width="400" /></a></div>
<br />
If you <a href="https://twitter.com/intent/follow?screen_name=ianyip" target="_blank">follow me on Twitter</a>, you probably noticed a heightened volume of Tweets from me during the <a href="http://rsaconference.com/events/us14/" target="_blank">RSA Conference in San Francisco</a>. It was great catching up with many of you based stateside that I rarely get to see in person. I was also fortunate enough to be allowed to attend sessions and live-Tweeted the ones that were interesting. Therefore, I'm not going to regurgitate/organise my Tweets into thoughts here. I will however, highlight a few key points that I felt were important.<br />
<br />
<h3 style="text-align: left;">
NSA, NSA, Snowden, NSA</h3>
This was an RSA conference where everyone was talking about the NSA. First, there were the <a href="http://blogs.wsj.com/digits/2014/01/07/security-experts-withdraw-rsa-conference-nsa-protest/" target="_blank">well-publicised boycotts</a> from speakers. Then came the <a href="https://www.trustycon.org/" target="_blank">competing conference</a>. Then there were the <a href="http://www.zdnet.com/obnoxious-rsa-protests-by-def-con-organizations-code-pink-draw-ire-7000026822/" target="_blank">protesters</a>. RSA Chairman Art Coviello <a href="http://www.rsaconference.com/videos/113/finding-a-path-forward-in-an-increasingly" target="_blank">opened the conference and addressed it</a> up front (right after William Shatner's song and dance). Stephen Colbert closed the conference with an <a href="http://edition.cnn.com/2014/03/01/tech/colbert-rsa-keynote/" target="_blank">NSA-heavy keynote</a> (incidentally, he was hilarious). And in a show of courage or stupidity depending on your perspective, the NSA even had a booth on the expo floor.<br />
<br />
There were many stories written about this during the conference, so just use your search engine of choice. But if you don't feel like searching, check out the New York Times' Nicole Perlroth and her <a href="http://bits.blogs.nytimes.com/2014/02/28/at-the-rsa-security-conference-things-get-testy-and-then-they-get-awkward/?_php=true&_type=blogs&_r=0" target="_blank">blog post</a> detailing some of the NSA-focused activities. My Tweet stream was also relatively NSA-heavy, so go <a href="https://twitter.com/ianyip" target="_blank">check that out</a> too.<br />
<br />
<h3 style="text-align: left;">
Damage control</h3>
There were many US Government speakers from various departments and they all had one thing in common: they were in damage control mode. Essentially, it boiled down to these points:<br />
<br />
<ol style="text-align: left;">
<li>We assumed everyone knew we do the whole electronic surveillance thing. We didn't know it would be such a big deal and we're sorry, but we have to do it. And by the way, better it be the US Government than some foreign hostile nation. They're all just pissed that we're so much better at it than everyone else.</li>
<li>We must work on collecting only what we need instead of absolutely everything. But if you've ever tried to do this, you know it's easier to collect everything instead of being selective.</li>
<li>We, the US Government, want to work more closely and cooperatively with US companies on making the Internet, technology and the real world safer for all.</li>
</ol>
<br />
<h3 style="text-align: left;">
Encryption</h3>
<div>
How do we make life more difficult for governments to spy on us? Encryption. Sure, governments have quantum computers working at cracking encryption measures, but they really don't like having to do it. It was a topic of discussion during the cryptographer's panel and made in relation to the NSA. Bruce <a href="https://www.schneier.com/" target="_blank">Schneier</a> has mentioned it on many occasions and reiterated his sentiments during his session at the conference.</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-vcULFCweKVc/Ux1ZXjAMXhI/AAAAAAAAAnQ/P8kPetMe_6g/s1600/schneier-rsa.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-vcULFCweKVc/Ux1ZXjAMXhI/AAAAAAAAAnQ/P8kPetMe_6g/s1600/schneier-rsa.jpg" height="240" width="320" /></a></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
I said it in my <a href="http://bit.ly/1ccmHcq" target="_blank">IT security predictions for 2014</a> and I've mentioned it <a href="http://bit.ly/1iurvLN" target="_blank">on television</a>.</div>
<div class="separator" style="clear: both; text-align: center;">
<object class="BLOGGER-youtube-video" classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,40,0" data-thumbnail-src="https://ytimg.googleusercontent.com/vi/6PE9piY51_A/0.jpg" height="266" width="320"><param name="movie" value="https://youtube.googleapis.com/v/6PE9piY51_A&source=uds" /><param name="bgcolor" value="#FFFFFF" /><param name="allowFullScreen" value="true" /><embed width="320" height="266" src="https://youtube.googleapis.com/v/6PE9piY51_A&source=uds" type="application/x-shockwave-flash" allowfullscreen="true"></embed></object></div>
<div>
Start with encryption. It won't fix all your security issues, but it's a good start and a good countermeasure for issues beyond the NSA and government spying.</div>
<div>
<br /></div>
<h3 style="text-align: left;">
Privileged user controls</h3>
<div>
Despite the fact that Snowden's been the poster child for the fact that privileged users can do a lot of damage, there wasn't a great deal of noise (compared to the NSA and government spying), except in sessions relating to industrial control systems. In every session I attended where industrial control systems were a topic of interest, privileged users came up as a primary focus area. Often, industrial control systems are tied to users directories (usually Active Directory) and most attacks simply aim to compromise an account within the directory. Once compromised, an attacker will escalate privileges until they have sufficient access. In other words, the more "administrative" the account, the quicker the compromise. In short, at the very least, organisations must secure and monitor privileged accounts in directories and operating systems.</div>
<div>
<br /></div>
<h3 style="text-align: left;">
Internet of Things (IoT)</h3>
<div>
You didn't need to attend the conference to know IoT is big in 2014. While I don't believe many are doing anything in terms of IoT, <a href="http://bit.ly/1ccmHcq" target="_blank">I don't discount the fact everyone wants to talk about it</a>. It became clear in listening to some IoT-focused sessions that the biggest challenge in securing the IoT at the moment lies with the ignorance and complacency in the manufacturing process, particularly with device manufacturers.<br />
<br />
Far too many do not implement (or care about) basic security practices in delivering a product. Many use default settings, which are often insecure. In addition, they often reuse the same insecure software components in updated versions. Beyond this, there is difficulty patching existing devices, particularly in trying to figure out how to do this without user intervention. We can't even get this right for existing computing devices. How are we expected to get it right for devices with in-built computers most are not aware of and cannot access easily through a usable interface? This is why it's relatively easy to <a href="http://blog.ioactive.com/2013/08/car-hacking-content.html" target="_blank">hack cars</a>.</div>
</div>
Ianhttp://www.blogger.com/profile/07620054411151781462noreply@blogger.com0tag:blogger.com,1999:blog-36930068.post-56895765620104395492014-03-12T15:50:00.001+11:002014-03-12T15:50:38.679+11:00Australia's new Privacy Principles - things to consider<div dir="ltr" style="text-align: left;" trbidi="on">
Effective today (12th March 2014), Australia's Information Privacy Principles and National Privacy Principles will be replaced by <a href="http://www.oaic.gov.au/privacy/privacy-resources/privacy-fact-sheets/other/privacy-fact-sheet-17-australian-privacy-principles" target="_blank">13 Australian Privacy Principles (APPs)</a>. Here are the important points to note:<br />
<br />
<ul style="text-align: left;">
<li>Applies to all organisations that turn over more than $3 million per year and collect personal data.</li>
<li>Fines up to $1.7 million for breaches.</li>
<li>Organisations must be transparent about how they collect, use and store personal data.</li>
<li>Organisations cannot collect data “just in case they need it”.</li>
<li>If personal data is disclosed to a 3rd party, the organisation disclosing the data is responsible for ensuring the 3rd party understands their obligation and that the consumer knows about the disclosure.</li>
</ul>
<div>
<div>
This effectively gives the Office of the Australian Information Commissioner (OAIC) teeth as the fines are now significant when compared to previous legislation. For example, Australian Telecommunications giant Telstra has only been <a href="http://www.abc.net.au/news/2014-03-11/telstra-breaches-privacy-of-15775-customers/5312256" target="_blank">fined a measly $10,200 AUD</a> for their recent violation.</div>
<div>
<br /></div>
<h3 style="text-align: left;">
Mindful collection and sharing</h3>
<div>
The days of "we'll ask for the information in case we need it" are gone. Organisations need to think about what they really need to achieve the task at hand and collect only what they need. As consumers, we should be able to sign up for online services in a shorter amount of time instead of frustratingly getting stuck on a submission form which constantly complains we haven't filled in certain fields.</div>
<div>
<br /></div>
<div>
<div>
Marketing programs and processes need to be reviewed to ensure personal data is not being inappropriately shared with 3rd parties. Many companies disregard the flow of information and the lack of visibility & understanding around how this is done, sometimes through no fault of their own. The number of technology integration points involved is challenging, but as privacy is now tied to financial penalties, this is a huge risk to businesses and should be addressed urgently through the involvement of IT departments and potentially external assistance.</div>
<div>
<br /></div>
<div>
If information is justifiably shared outside of the organisation, they will need to have the ability to determine if an overseas 3rd party they are disclosing personal information to also complies with the privacy act. This is a function many organisations will not have and will need to be included as part of their risk management program.</div>
</div>
<div>
<br /></div>
<h3 style="text-align: left;">
Personal information</h3>
<div>
In all things privacy-related, things tend to be up for debate, none more so than the term "personal information". The safest way for organisations to tackle this ambiguity is to assume data can be tied together from various sources, even when not immediately obvious as to how, to form context that can be tied to an individual. For example, an IP address is a potential identifier of an individual when combined with information from the relevant Internet service provider.</div>
<div>
<br /></div>
<div>
Personal data can also be stored in unexpected locations that organisations may be unaware of, the most obvious being application logs. IT departments need to perform an internal audit of the information applications use and ensure they are not subject to inadvertent personal data leakage through logs as a result of log file settings.</div>
<div>
<br /></div>
<div>
There is also additional administrative overhead in dealing with personal information and its access. The right technologies and a properly implemented reliance on external information providers can help. For example, power can be given to individuals to have complete control over the information stored about them through self-service portals. In addition, there may not be a need to store certain pieces of information. Standards exist (e.g. pick your favourite federated identity standard) that allow a relying party requiring information about an individual to ask for it from an identity (or attribute) provider and use it in flight without having to store the information on disk.</div>
<div>
<br /></div>
<div>
Beyond the more mature federated identity standards, there are emerging ones such as <a href="https://kantarainitiative.org/confluence/display/uma/Home" target="_blank">User Managed Access (UMA)</a> that place more power in the hands of consumers (i.e. the rightful owners of the data). While not yet supported in many technology stacks, the concepts are sound and organisations would do well to adopt the thinking behind what UMA is attempting to achieve in the longer run.</div>
<div>
<br /></div>
<h3 style="text-align: left;">
Summary</h3>
<div>
Australian organisations need to treat personal data like they would financial information. For example, there are a raft of measures dictated by the PCI-DSS standard regarding the storage and usage of credit card numbers. While the number of credit card data breaches have proven PCI-DSS alone does not prevent breaches, existing data protection standards are a good start for organisation struggling to deal with the implications of the new privacy principles. Organisations would do well to adopt many of the same measures dictated by security standards in protecting personal data as a start. As they understand the requirements and data flows over time, more sophisticated security and access management measures can be implemented to round out an evolving security program.</div>
</div>
</div>
Ianhttp://www.blogger.com/profile/07620054411151781462noreply@blogger.com0tag:blogger.com,1999:blog-36930068.post-40588001399657447642014-01-09T01:00:00.000+11:002014-01-09T01:00:01.023+11:00Moving beyond incident identification<div dir="ltr" style="text-align: left;" trbidi="on">
I <a href="http://bit.ly/1ccmHcq" target="_blank">made a few IT security predictions for 2014</a> last last year, but I want to highlight item number 3 as it's become particularly relevant:<br />
<blockquote>
"Security departments will shift their focus from incident identification to incident reaction and management"</blockquote>
We're only a week into 2014 and the two highest profile IT security stories so far are related to incident reaction and management (a.k.a. response).<br />
<br />
While the <a href="http://www.nytimes.com/2014/01/03/technology/fireeye-computer-security-firm-acquires-mandiant.html/" target="_blank">acquisition of Mandiant by FireEye</a> technically completed in 2013, it was only announced in 2014. To quote the New York Times article:<br />
<blockquote>
"Mandiant is best known for sending in emergency teams to root out attackers who have implanted software into corporate computer systems."</blockquote>
The other piece of news was that Bruce Schneier has joined Co3 systems. In his <a href="https://www.schneier.com/blog/archives/2014/01/ive_joined_co3.html" target="_blank">own post on the matter</a>, he states:<br />
<blockquote>
"...there have been many products and services that focus on detection, and it's a huge part of the information security industry. Now, it's time for response."</blockquote>
The true value in security monitoring, and by association Security Information and Event Management (SIEM), lies in moving beyond incident identification/detection. SIEM technologies have become much better over the past few years at using data analysis techniques to translate raw data and events into useful information that security departments can understand and hopefully act on.<br />
<br />
Unfortunately, few organisations have the resources available to react to incidents adequately and in a timely manner let alone attempt to manage them. Incident identification/detection without the ability to respond is akin to having an alarm on your house go off that only your neighbours can hear. Even if they are around, how many actually care enough to do something about it?<br />
<br />
The best alarms don't make any noise, but lock the house down so that no one can leave while simultaneously sending an alert to have a professional incident response team dispatched to the premises to deal with the threat while the incident is in-progress. Of course, it would have been better if they hadn't been able to enter in the first place, but we'll leave access management discussions for another day. Security departments need to work on the presumption that bad guys will get in somehow.<br />
<br />
While the latter option sounds more like a military operation, it's how organisations need to be thinking about security incidents in 2014. At the very least, security departments need to have properly thought out, documented incident reaction and management procedures that anyone can follow with minimal training. While not every incident response person can be the IT security equivalent of a Navy SEAL, at least have a security guard on staff and augment with external assistance by using tools or service providers.<br />
<br />
As I said in my predictions article:<br />
<blockquote>
"The focus when dealing with threats up to this point has been on the identification of them. Vendors spend large sums of money expounding the wonders of their tool’s collection and analytical abilities. It has become a game of “my feature is better than your feature” and “my analytics are better than your analytics”. Ultimately, it is pointless identifying a threat when there is no path forward to manage the incident, deploy the appropriate responses and counter the threat through remediation."</blockquote>
</div>
Ianhttp://www.blogger.com/profile/07620054411151781462noreply@blogger.com0tag:blogger.com,1999:blog-36930068.post-83436212381167355982014-01-06T14:28:00.001+11:002014-01-06T14:37:40.760+11:00Why crooks love gift cards and how retailers are to blame<div dir="ltr" style="text-align: left;" trbidi="on">
It’s the holiday season and there are those that don’t feel like thinking about particular gifts can cop out by gifting a gift card. For those that have never used one, it’s relatively simple. The card number combined with an access code is usually enough information for a gift card to be used for a purchase. This is how it usually works when making online purchases. At the actual physical store, the use of a gift card typically requires the user to also be in possession of it.<br />
<br />
<h3 style="text-align: left;">
Fraud liability lies with the purchaser</h3>
Gift cards are designed with convenience in mind with no regard to security or indemnity. If your bank issued a card with the PIN printed on it, you would immediately cut it up, cancel it and change banks. Unfortunately, this is exactly what most retailers do with gift cards.<br />
<br />
Both the number and the access code are displayed on the actual card (both physical and virtual versions). This is all one needs to make a purchase using the card. The anonymous nature of gift cards is just as much of a problem. Crooks love anonymity because at no point can a transaction be linked back to them.<br />
<br />
To add to the mess, most retailers have a statement in the fine print to “treat the card like cash as we cannot process refunds in the event of theft or loss”. We would not tolerate this type of behaviour from financial institutions, yet that’s exactly what we do each time we buy a gift card. At least financial institutions will indemnify cardholders from loss or theft. Retailers simply say “too bad, your loss, not our problem”.<br />
<br />
Because retailers do not care enough to accept responsibility, at no point will they ever attempt to investigate the crime and the criminals that stole your gift card details get away scot-free.<br />
<br />
<h3 style="text-align: left;">
Digital gift cards are less secure than physical ones</h3>
While gift cards are not secure for the reasons already mentioned, digitally-delivered cards are worse. With physical gift cards, the most blatant, practical example of fraud involves crooks cloning inactive cards from stores and subsequently waiting for them to be activated through a legitimate purchase.<br />
<br />
The best way around this particular method of fraud is to cover the access code on each card with a layer that can be scratched off, which many retailers have implemented. This is a simple, yet effective way to reduce the risk because if a card has a visible access code, you know it’s been compromised. Unfortunately, the digital version of this “scratch layer” is often non-existent.<br />
<br />
The most common method of retrieving a digital gift card involves accessing a URL. To understand why this is a problem, consider the fact that often, the URL to retrieve a gift card is derivable, even if encryption is used in the actual URL pattern. It is not too difficult for a skilled attacker to get the standard URL pattern by legitimately ordering a card and subsequently performing a brute-force attack, similar to how passwords are cracked, on the parts of the URL that change to retrieve other gift cards.<br />
<br />
The digital equivalent of a “scratch layer” would be to make the retrieval URL accessible exactly once. This way, one would know upon an attempt to retrieve the card if it has already been compromised through its URL and contact the retailer to report the issue immediately instead of finding out after the card has already been used. Once a card has been used by the fraudster, it is too late and there is no recourse for the victim.<br />
<br />
<h3 style="text-align: left;">
No protection against insiders</h3>
As is the case in many organisations, the insider with access is a huge risk in this particular context. Credit card numbers are partially protected through PCI-DSS requirements that mandate encryption of stored card details and audit of access. Gift card details however are not subjected to the same rules and thus can be stored in clear text and not be monitored when accessed without regulatory consequences for the retailer.<br />
<br />
Organisations tend to ignore security when they are not liable in the event of a security incident. In the case of gift cards, no liability lies with the retailer. This means employees of a retailer storing gift card details in the clear have relatively easy access. In addition, even if the retailer happens to have audit mechanisms tracking access to databases storing gift card details, the fact that consumers are expected to “treat gift cards as cash” is a sure sign that a retailer will not spend precious dollars to investigate any potential internal fraud with gift cards.<br />
<br />
<h3 style="text-align: left;">
Too many third parties involved</h3>
Another trend that contributes to the problem is the use of third parties to administrate and issue gift cards. For example, many large retailers in Australia use the same third party company to do this. The problem with third parties is that access to data is now expanded to people not directly associated with the responsible retail organisations.<br />
<br />
As gift cards are not subjected to the same standards as credit card information, employees of the third party company potentially have full access to gift card details of multiple retailers and can exploit this access for personal profit much more easily than if they were attempting to steal credit card numbers.<br />
<br />
<h3 style="text-align: left;">
No regulation, no deal</h3>
Gift cards are effectively cash cards. Retailers have said so themselves in an attempt to indemnify themselves from liability in the event of fraud. The problem is that they are indemnifying themselves at the expense of fraud victims, also known as customers. The relationship in this instance is completely one-sided in favour of retailers.<br />
<br />
Financial institutions dealing with credit card details are not afforded the same cop-out liability statement. In fact, it is the opposite. Financial institutions are held liable in the event of fraud and we as consumers are protected.<br />
<br />
Imagine if we were told that whenever we use a credit card, we assume all the risk? Mastercard, Visa and American Express would go out of business very quickly. Why are retailers not subjected to the same rules?<br />
<br />
It is time we woke up and realised exactly how unprotected we as consumers are when we buy gift cards. If you feel the need to buy a gift card for someone else, do what Asians do instead and put cash in a red packet.<br />
<br />
In Asia, giving a red packet to someone implies you are wishing them good fortune. Giving someone a gift card however, means you couldn’t be bothered. You may also have just gifted them a worthless piece of plastic which they will resent you for when they try to use it.</div>
Ianhttp://www.blogger.com/profile/07620054411151781462noreply@blogger.com0tag:blogger.com,1999:blog-36930068.post-86018069942054909942013-12-20T00:47:00.000+11:002013-12-20T00:47:08.252+11:00IT security predictions 2014<div dir="ltr" style="text-align: left;" trbidi="on">
It's prediction season again and I've written a <a href="http://bit.ly/1ccmHcq" target="_blank">piece for CSO Australia</a>.<br />
<br />
Here's how it starts...<br />
<blockquote>
"2013 was the year of Edward Snowden and the NSA spying revelations. We also faced a deluge of data breaches with an increasingly large amount of information compromised. The emerging trends that appeared on the radar in 2012 such as Cloud, Mobility, Social and Big Data became key challenges for organisations in 2013. These will continue to be important in 2014, but what will they evolve into? What other things do we need to consider?"</blockquote>
<br />
Click through to the <a href="http://bit.ly/1ccmHcq" target="_blank">article</a> for the predictions. Got an opinion? Comment or <a href="http://twitter.com/ianyip" target="_blank">Tweet me</a>.</div>
Ianhttp://www.blogger.com/profile/07620054411151781462noreply@blogger.com0tag:blogger.com,1999:blog-36930068.post-72497619801504882052013-11-18T13:57:00.000+11:002014-01-06T14:36:01.334+11:00Social identities are becoming our online driver’s licence<div dir="ltr" style="text-align: left;" trbidi="on">
<i>Note: This is a companion blog post to an <a href="http://bit.ly/YyNJ5S" target="_blank">article I wrote earlier this year for CSO Australia</a>. The original essay was too long for an online publication, so I split it up into 2 related, but independent pieces.</i><br />
<br />
For the generation that assumes a priori that the Internet is a tangible, more-essential-than-oxygen component of the air, social networks have become the digital manifestation of their identities as people. Most use each social network for a specific purpose. For example, Facebook content is typically personal and LinkedIn content is almost always professional. Where possible, we try to confine their use within our subconscious boundaries, but they invariably bleed into each other through porous walls. Nevertheless, each is a persona; a one dimensional representation of our real selves.<br />
<br />
While online, much of our significant actions require some form of identification: a licence that says enough about us as unique individuals. While we don’t need a driver’s licence to walk along a road, we do need one to drive along it. Similarly, to do anything of significance online, we need to prove who we are to varying degrees; we need a licence that says enough about ourselves to be allowed to perform certain activities.<br />
<br />
A majority of our individual activities both online and off can be divided into two categories: transactions and interactions. We transact with retailers, financial institutions and governments. We interact with friends, family, colleagues, employers and government institutions. There are exceptions to these, but a majority of what we do conforms to this model.<br />
<br />
The word “transact” in this sense is not always tied to financial activities. Anything that has a negative real-life impact when fraud is committed can be deemed as transactional. In life, our identity matters when we transact and interact with retailers, financial institutions, governments and other people. There is however, a distinct difference in the acceptable forms of identity when comparing transactional activities and interactions which is tied to risk. It is why certain organisations will accept your Facebook account as proof of identity, but others will not.<br />
<br />
<h3 style="text-align: left;">
Appropriate use of social identities</h3>
The key to understanding appropriate use for social identities is context. In real life, activities that require proper identification such as a passport or driver’s licence are transactional.<br />
<br />
If you analyse the scenarios you are familiar with in dealing with retailers, financial institutions and governments, you will quickly realise that for anything we classify as an interaction, using social identifiers for access is sufficient. For transactions, they are not.<br />
<br />
In the Information Security world, this is known as using the appropriate Level of Assurance (LOA) for the appropriate context. A higher LOA is required for transactions than interactions. The progression to a higher LOA is typically achieved using multi-factor authentication. If you’ve ever received a code on your mobile phone immediately after your username and password has been accepted and asked to enter it into a site before it allows you access, you have used multi-factor authentication. The SMS code sent to your mobile phone increases your LOA.<br />
<br />
In situations where social identities play a part in the authentication process, they are best used as first level of authentication. As a “lightweight” identity, this provides the personalisation we psychologically crave and the added usability organisations would like to provide. The fact that personalisation provides additional insight to organisations is a bonus for them. When the interactions verge on being transactional, the LOA needs to be raised using either a second factor or a stronger form of identification. In real life, this is best demonstrated by the fact that a driver’s licence is sufficient for entry to a bar but a passport is required to cross international borders.<br />
<br />
<h3 style="text-align: left;">
Excessive collection of personal information</h3>
A major concern regarding the use of social identities as a login mechanism relates to the amount of sensitive personal information stored within social networks. Using your Facebook account to login to another site does not necessarily give it access to your Facebook account (e.g. to make updates). More commonly, the login process involves sharing an amount of information about yourself that the site requires.<br />
<br />
The word “requires” is used loosely here. Far too often sites ask for more information than they actually need because they can. We have become so accustomed that we accept it as the norm. Bad data collection practices have trained us into accepting additional risk as a condition for using the Internet. In reality, most sites really only need a way to contact you (e.g. email) and perhaps your name. Put simply, a site should only ask for the information it needs for you to complete your tasks.<br />
<br />
The <a href="http://www.smh.com.au/it-pro/security-it/fifty-thousand-exposed-in-abc-website-hack-20130227-2f5j9.html" target="_blank">breach the Australian Broadcasting Corporation’s website suffered earlier this year</a> is a perfect recent example of data collection misuse. The information stolen included <a href="http://www.smh.com.au/it-pro/security-it/cracks-widen-in-abc-website-security-20130228-2f78z.html" target="_blank">easily cracked hashed passwords</a> and personal details about each person that the website did not need. When we give up our information to an organisation, we almost never have control over anything that happens to it after the fact.<br />
<br />
This is something that the Kantara Initiative is attempting to address through its <a href="http://kantarainitiative.org/confluence/display/uma/Home" target="_blank">User Managed Access (UMA) work group</a> and the associated UMA protocol. But until this or something like it is mandated across sites that store information about individuals, it is extremely difficult to address the lack of control we have over our personal details and their proliferation.<br />
<br />
<i>Note (not part of original blog post): I strongly suggest checking out Ian Glazer's <a href="http://blogs.gartner.com/ian-glazer/2013/11/14/big-p-privacy-in-the-era-of-small-things/" target="_blank">"Big P Privacy in the Era of Small Things" video</a> if you are interested in exploring and understanding this topic in more depth.</i><br />
<i><br /></i>
<h3 style="text-align: left;">
Potential benefit of social identities</h3>
Social networks have the potential to reduce the number of places that our information is stored. In addition, they can potentially become the gatekeepers to our information. Imagine if the interaction between a social network and another site included the obligation to delete our information upon request by the social network using a protocol like UMA? Better still, what if it required that the information used be transient and disappears when our session with the site in question ends? Nothing actually gets stored.<br />
<br />
In fact, some social networks enforce this today, although this is used more as a defensive tactic to reduce the likelihood that a partner site becomes a competitor by replicating all their user data than a way to protect the information for the benefit of users. Sites that do not conform to the policy are unceremoniously prevented from being able to interact with the social network in any way.<br />
<br />
There are benefits to be had for the sites accepting social identities as logins too. Studies have shown that user drop-off rates decrease because users no longer have to fill in forms to access the site. Data storage costs drop as a result and for organisations that do not want to be front page news for losing user data, this risk is no longer present.<br />
<br />
<h3 style="text-align: left;">
A driver’s licence is not a passport</h3>
We began by referencing the generation of digital natives driving the assimilation of our digital and physical lives. They influence online innovation today through their demands and expectations. They are the demographic many businesses target. As a result, their behaviour shapes the evolution of the online world and by extension, the real world.<br />
<br />
The rest of us have to begrudgingly adapt to a reality being built for them. Like it or not, social identities are becoming the Internet’s driver’s licence of choice. However, social identities are not our online passports. The world is not ready for that reality. And unless social networks start vetting people like banks do, that reality is unlikely to ever be achieved.<br />
<div>
<br /></div>
</div>
Ianhttp://www.blogger.com/profile/07620054411151781462noreply@blogger.com0tag:blogger.com,1999:blog-36930068.post-26243037791485921482013-11-04T15:29:00.003+11:002013-11-04T15:29:57.916+11:00Gain RELIEF with future proof security<div dir="ltr" style="text-align: left;" trbidi="on">
I <a href="http://bit.ly/1crugwK" target="_blank">wrote an article for SCMagazine</a> that was published in late October. Unfortunately, since more than 7 days have passed, it now sits behind a registration wall (which I believe is free, but still requires effort on your part). It was originally titled: "Holistic security heals your cloud and mobility symptoms", but the editor decided the current one worked better.<br />
<br />
For those that don't feel like registering to read the article, the RELIEF acronym in the title spells out:<br />
<br />
<ul style="text-align: left;">
<li><b>R</b>esources – What are you trying to protect? This is almost always going to be information. Often, IT departments classify the applications housing information as resources, but without the information, applications do not need to be protected. The classification of data needs to be considered here as this has a bearing on access control policies.</li>
<li><b>E</b>ntry – How is each resource accessed? Through an application? Database? As a text file on a file server? Do the access control policies and enforcement mechanisms cover all the combinations and can they be easily managed? Where are the blind spots? Where is access not enforced?</li>
<li><b>L</b>ocations and time – Where are these resources located? On-premise? In the cloud? Where are resources accessed from? Can people access a resource when they are outside the office? When can they access these resources?</li>
<li><b>I</b>dentity – Who is accessing corporate resources? Can access be tied back to a single individual or is the audit trail ambiguous? Can you enforce access based on who the person is? Are the monitoring mechanisms able to understand identities?</li>
<li><b>E</b>xit – How can information leave the organisation? What are the allowable circumstances and combinations where this can happen? Can this be enforced or at the very least monitored? Are there blind spots?</li>
<li><b>F</b>low – How does information move between entry and exit points? What about all the points inbetween? Is the flow of information completely auditable and enforceable at all touch points?</li>
</ul>
<br />
<div>
<br /></div>
</div>
Ianhttp://www.blogger.com/profile/07620054411151781462noreply@blogger.com1tag:blogger.com,1999:blog-36930068.post-23288525771123967642013-09-19T01:30:00.000+10:002013-09-19T01:30:01.967+10:00Authentication debate fuelled by Apple Touch ID is in itself a game changer<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="text-align: center;">
<a href="http://commons.wikimedia.org/wiki/File%3AFIRE_01.JPG" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;" title="I, MarcusObal [GFDL (http://www.gnu.org/copyleft/fdl.html) or CC-BY-SA-3.0 (http://creativecommons.org/licenses/by-sa/3.0/)], via Wikimedia Commons"><img alt="FIRE 01" src="//upload.wikimedia.org/wikipedia/commons/thumb/2/2a/FIRE_01.JPG/256px-FIRE_01.JPG" width="256" /></a>
</div>
There's a <a href="http://www.zdnet.com/debate/apples-touch-id-a-game-changer/10127622/" target="_blank">good debate on ZDNet</a> between <a href="http://twitter.com/JohnFontana" target="_blank">John Fontana</a> and <a href="http://twitter.com/zyzzyvamedia" target="_blank">David Braue</a> around the issue of whether Apple's Touch ID is a game changer. I've spoken to, discussed things with and read stuff written by both these guys, so I can vouch for the fact they know what they are on about, which is why I'm sort of fence sitting in the context of their actual debate. But if someone shook the fence I'm currently sitting on vigorously and I assume the question was framed around Touch ID in its current form (or rather, how it will be when the iPhone 5s is released in a few days), I'd probably fall onto the side that John's on.<br />
<br />
John makes 2 really great points that I wholeheartedly agree with:
<br />
<blockquote>
"Currently, Touch ID has no way for the enterprise to tap the technology into their identity and access management systems."</blockquote>
and
<br />
<blockquote>
"...without an SDK, developers that made the App Store explode won't be able to lift a finger to raise Apple's security profile above a whimper."</blockquote>
He's right. But I believe Apple will eventually allow developers to hook into Touch ID, albeit indirectly. Apple does not build things into their devices without a long-term strategy for them.<br />
<br />
Those of us in the IT security field are paid to be paranoid and sceptical, so I can understand how security professionals are not jumping on the Apple fanboy bandwagon. Interestingly enough, many are closet Apple fanboys when not doing their day jobs. One thing we all struggle with however, is getting people to actually care about security, let alone openly debate it.<br />
<br />
While I don't believe that Touch ID in its current form is a game changer, <b>the fact that Touch ID's lit the fire under the authentication debate is</b>. That is something only companies like Apple can do.<br />
<br />
While it may seem self-serving to quote myself, that's exactly what I'm going to do. I said in my <a href="http://bit.ly/14LBnr3" target="_blank">previous blog post</a>:<br />
<blockquote>
"...it will take at least one well-known brand with a significant amount of consumer influence to fork-lift-point us down the non-password oriented identification path."</blockquote>
Apple's done that. If you read some of David's arguments in the debate, he's actually projecting potential future applications of Touch ID, not features it will have upon initial release:
<br />
<blockquote>
"MDM tools are all about adding a layer of control to distant mobile devices, and fingerprints are a readily available way for distant users to prove their identity."</blockquote>
and
<br />
<blockquote>
"Better API access would allow developers to use fingerprints anywhere they now require user ID-and-password combinations."</blockquote>
Sitting firmly perched back on my fence, I agree with John that Touch ID in its current form is not a game changer. But I agree with David that Touch ID's potential, with the Apple juggernaut behind it, is.<br />
<br />
At the very least, the fact that authentication has become a hotly debatable topic in the mainstream is the actual, indisputable game changer that Apple's managed to fuel with the introduction of Touch ID. As an added bonus, if your day job is to sell security internally to C-level decision makers, here's a potential way in to start those security conversations. Remember to leave the propeller hat behind in your desk drawer.</div>
Ianhttp://www.blogger.com/profile/07620054411151781462noreply@blogger.com1tag:blogger.com,1999:blog-36930068.post-68809621301567039702013-09-12T01:18:00.000+10:002013-09-18T12:37:19.253+10:00Usable identification - the key to a world without passwords<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-5TkZNyvUQnQ/UjCD-72RrvI/AAAAAAAAAic/9k9-qVn_Rmc/s1600/fingerprint.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-5TkZNyvUQnQ/UjCD-72RrvI/AAAAAAAAAic/9k9-qVn_Rmc/s1600/fingerprint.png" /></a></div>
<br />
Consumer devices offer the best vehicle in bringing non-password based authentication mechanisms to the mainstream much the same way <a href="http://bit.ly/YyNJ5S" target="_blank">social networks have brought identity federation to the masses</a>. It is the best shot we have of eventually <a href="http://blog.talkingidentity.com/tag/passwords-must-die" target="_blank">killing passwords off</a> for good. If that day comes, passwords will more than likely be replaced by a combination of biometric and token-based mechanisms.<br />
<br />
The inevitable rise of wearable computing in addition to the ubiquity of smart phones will result in an abundance of options (compared to a world before smart phones) in available tokens to use as part of the identification dance known as authentication.<br />
<br />
Signing on to a site using your social network is not commonly referred to as identity federation; that's what security people call it. But it works because it's usable, although this is at the expense of some security. Social identities help consumers clear the security hurdle to the point where the word "security" doesn't rate a mention during the authentication and/or registration process. Social networks however, still use passwords.<br />
<br />
Passwords on their own are insecure. In the absence of other ways to identify ourselves (i.e. multi-factor authentication), <a href="http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/all/" target="_blank">a lot of damage can be done to our digital lives</a> that are difficult to recover from. Also, let's not forget about the number of hacks suffered by multiple sites that included leaked passwords. But they remain because the username and password combination is a design pattern we have been trained to understand and accept. Because we have been conditioned this way, passwords are inherently usable. Therein lies the challenge in moving past them.<br />
<br />
Good authentication practices have always included multiple factors. In other words, passwords on their own just won't do. In addition to usability, cost is almost always a prohibiting factor. It costs an organisation a lot of money to procure the hardware required to support authentication mechanisms beyond passwords. Wouldn't it be nice if consumers had tokens they could use that were as secure as these expensive ones organisations currently have to buy?<br />
<br />
Some organisations have weighed the risks against costs and decided that SMS tokens are good enough to be considered as an acceptable second factor beyond passwords. If you've looked into this, you know SMS messages are not actually that secure. But for a lot of scenarios, they are "good enough" when combined with the primary password. If organisations want to move beyond this however, it gets very expensive.<br />
<br />
It took well-known brands with a significant amount of consumer influence (e.g. Facebook, Twitter, LinkedIn) to bring identity federation to the masses. Similarly, it will take at least one well-known brand with a significant amount of consumer influence to fork-lift-point us down the non-password oriented identification path.<br />
<br />
In the case of authentication however, there is the cost consideration that was not present in the consumer identity federation equation. How can we put stronger authentication factors in the hands of consumers in a cost effective manner? Ideally, we would make consumers buy these tokens, but who would want to do that just for a bit of extra security and a more disjointed user experience? Enter large, well-known consumer brand with the requisite influence.<br />
<br />
Apple, the king of making technology usable is that organisation. Their <a href="http://www.engadget.com/2013/09/10/iphone-5s-fingerprint-sensor/" target="_blank">announcement</a> yesterday of the Touch ID fingerprint sensor on the iPhone 5s is the latest (and loudest) in a recent spate of devices that have the potential in helping achieve the right balance of usability, cost and security at scale. Rich Mogull's <a href="http://tidbits.com/article/14089" target="_blank">article on TidBITS</a> is the best one I've read if you want to understand some of the security aspects.<br />
<br />
Beyond Cupertino, there are a few recent developments that will hopefully be caught up in the Apple authentication snowball that is rolling down security mountain:<br />
<div style="text-align: left;">
</div>
<ul style="text-align: left;">
<li><a href="http://www.getnymi.com/" target="_blank">Nymi</a> is a device which wraps around our wrist and uses our unique cardiac rhythm to authenticate and identify us to things around us. There are unknowns around how or if this will actually work, including some more knowledgable about cardiac rhythms than I, who remain sceptical. Dave Kearns however, is a <a href="http://blogs.kuppingercole.com/kearns/2013/09/10/i-biometrics/" target="_blank">little more enthusiastic</a>, as are most other people on Twitter. I for one, hope it actually works because the potential scenarios are interesting, exciting even.</li>
<li>Let's not forget about the impending barrage of smart watch releases over the next year, starting with Samsung's <a href="http://www.samsungmobilepress.com/2013/09/04/GALAXY-Gear-1" target="_blank">Galaxy Gear</a>. Apple of course, has also been working on the rumoured iWatch. Even car manufacturers like Nissan are <a href="http://www.bbc.co.uk/news/technology-23964797" target="_blank">clamouring to wrap themselves around our wrists</a>. While smart watches aren't inherently security devices, they are effectively another token that could be used in the authentication process. For example, the fact that a smart watch is mine and is paired with my smart phone (or car in the case of Nissan) at the point of identification (authentication) gives the system identifying me a level of assurance that I am who I claim to be.</li>
</ul>
<br />
As with any new technology, there are potential security implications that need to be analysed and I'm sure this will be done by many when the devices are made available to the general public. But Apple Touch ID, Nymi, smart watch manufacturers and other wearable devices we have yet to hear about have the potential to make security invisible.<br />
<br />
Security is the enemy of usability. Studies have shown that when presented with a secure option or an easy option to perform a task, people almost always choose the easy option. <b>The trick is to make the easy option also the secure option.</b> The devices mentioned aim to make our lives better. The fact that they have the potential to make our lives easier while improving security is exciting.<br />
<br />
Here's to a future where we don't need passwords, but can stay secure while remaining blissfully ignorant of that fact.</div>
Ianhttp://www.blogger.com/profile/07620054411151781462noreply@blogger.com0tag:blogger.com,1999:blog-36930068.post-46848482444659009192013-07-27T22:29:00.002+10:002013-07-27T22:29:50.867+10:00Securing the hybrid cloud<div dir="ltr" style="text-align: left;" trbidi="on">
The following is an excerpt from an article I just wrote for Business Spectator Australia's technology section.
<br />
<blockquote>
Securing a hybrid cloud model requires a mindset shift from traditional IT security approaches. Analyst firm Forrester uses their Zero Trust model to illustrate the fact that IT security can no longer trust activities occurring internally within the walls of the organisation. Security is about verifying everything that occurs and organisations have to inherently assume an insecure state and react quickly as a security incident occurs.</blockquote>
Check out the rest of it <a href="http://bit.ly/12rVWgd" target="_blank">here</a>.
<br />
<br /></div>
Ianhttp://www.blogger.com/profile/07620054411151781462noreply@blogger.com0tag:blogger.com,1999:blog-36930068.post-48734840439759698912013-07-12T16:41:00.002+10:002013-07-12T16:43:43.788+10:00Identity foundation<div dir="ltr" style="text-align: left;" trbidi="on">
You wouldn't believe how often I still have to explain Identity & Access Management (IAM) basics to people. Or maybe you do because you feel like a broken record each time you do it. So I created this to help explain it to someone who knows nothing about what comes second nature to those of us in the security game.<br />
<br />
Note: This is a GIF so if you're viewing this through something that doesn't render GIF files properly, it's going to look like an absolute mess. <b>Also, unless you have a magnifying glass handy, I suggest clicking on the image for a slightly larger version.</b><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-BLhjD7khnHE/Ud-jnD42oII/AAAAAAAAAg8/hS9Vg5jBdrg/s1600/Identity_Foundation.gif" imageanchor="1"><img border="0" height="222" src="http://4.bp.blogspot.com/-BLhjD7khnHE/Ud-jnD42oII/AAAAAAAAAg8/hS9Vg5jBdrg/s400/Identity_Foundation.gif" width="400" /></a></div>
<br /></div>
Ianhttp://www.blogger.com/profile/07620054411151781462noreply@blogger.com0tag:blogger.com,1999:blog-36930068.post-6934411942891822013-05-10T23:58:00.000+10:002013-05-10T23:58:57.772+10:00Login to the real world with your Facebook account<div dir="ltr" style="text-align: left;" trbidi="on">
The following is an excerpt from an article I just wrote for CSO Australia.<br />
<div>
<blockquote class="tr_bq">
<span style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px;">Ultimately, context is the key to understanding the appropriate use of social identities. While we may be happy browsing a retailer’s website logged in with our Facebook account for a personalised experience, we are not going to be making the payment with it. Organisations that get the balance right while understanding appropriate use and context can begin their social-enablement journey with their eyes open.</span></blockquote>
</div>
<div>
Check out the rest of it <a href="http://bit.ly/YyNJ5S" target="_blank">here</a>.<br />
<br /></div>
</div>
Ianhttp://www.blogger.com/profile/07620054411151781462noreply@blogger.com2tag:blogger.com,1999:blog-36930068.post-22995420289790850032012-12-18T00:59:00.001+11:002012-12-18T00:59:11.531+11:00IT security predictions 2013<div dir="ltr" style="text-align: left;" trbidi="on">
It's that time of year again where everyone recaps the year that went by and makes outlandish predictions for the year ahead. Not wanting to be left out, I wrote a piece for <a href="http://bit.ly/TVVwoI" target="_blank">SCMagazine</a>.<br />
<br />
Here's an excerpt.
<br />
<blockquote>
"Together, BYOD and cloud heralded the arrival of the consumerisation of IT, essentially the democratisation of IT within organisations. Employees are no longer content with being dictated to. As consumers, we now enjoy more useful, usable applications than ever before. We expect the same of our IT applications at work. The sentiment that work is where we go to use old technology is common and users are revolting."</blockquote>
Full article <a href="http://bit.ly/TVVwoI" target="_blank">here</a>. Agree? Disagree? Sound off in the comments or on <a href="http://twitter.com/ianyip" target="_blank">Twitter</a>.</div>
Ianhttp://www.blogger.com/profile/07620054411151781462noreply@blogger.com1tag:blogger.com,1999:blog-36930068.post-89075199281466513462012-11-20T14:45:00.000+11:002013-02-28T00:16:26.058+11:00IT security implications of BYO* for enterprises<div dir="ltr" style="text-align: left;" trbidi="on">
This is the post I promised I'd write when I <a href="http://bit.ly/REP6Ng" target="_blank">talked about Cloud and BYOD</a> as part of my <a href="http://bit.ly/NgWJEI" target="_blank">"Do security like a start-up or get fired" series</a>. <br />
<br />
I created and delivered this presentation for events in <a href="http://www.netiqsecurityap.com/au/" target="_blank">Sydney, Canberra and Melbourne</a>. The presentations received some press coverage, in particular <a href="http://zd.net/RvL7zG" target="_blank">this ZDNet article</a> written by <a href="http://www.zdnet.com/meet-the-team/au/michael.lee/" target="_blank">Michael Lee</a> which garnered over 110 Tweets and 70+ LinkedIn shares including mentions from the likes of <a href="https://twitter.com/Cisco_Mobility/status/256171084636884992" target="_blank">Cisco</a>, <a href="https://twitter.com/IBMBizInsight/status/256240933484498944" target="_blank">IBM</a>, <a href="https://twitter.com/SAPMobile/status/256378631687909377" target="_blank">SAP</a>, <a href="https://twitter.com/good_technology/status/256469292030234624" target="_blank">Good Technology</a>, <a href="https://twitter.com/PaloAltoNtwks/status/258304627320180736" target="_blank">Palo Alto Networks</a> and of course <a href="https://twitter.com/NetIQ/status/255991688869343232" target="_blank">NetIQ</a>.<br />
<br />
As this is a presentation masquerading as a blog post, it will be different to my usual posts. There are a bunch of images littered throughout, which are all slides from my presentation deck. As a result, you'll see some text as images because they were slides. I've kept it this way instead of typing everything out to give you a better feel for the actual presentation.<br />
<br />
<hr />
<h2 style="text-align: left;">
IT security implications of BYO* for enterprises</h2>
The BYO in the title stands for “bring your own”. The term dominating the headlines is Bring Your Own Device (BYOD) but it's about so much more than just the 'D' in BYOD. The use of the “*” is a reference to the fact it’s not just about employees bringing their own devices into the work place; it's about a trend towards employees bringing their own technology into the workplace.<br />
<br />
I’m going to cover 3 things:<br />
<ol style="text-align: left;">
<li>Why BYO is top of mind.</li>
<li>Understanding BYO.</li>
<li>How to secure BYO.</li>
</ol>
If BYOD was a viral video, it would be this one.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-YxVkLxxt89A/UKMz325cNkI/AAAAAAAAAXk/tyunhC_ZgfM/s1600/gangnam-style.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="238" src="http://2.bp.blogspot.com/-YxVkLxxt89A/UKMz325cNkI/AAAAAAAAAXk/tyunhC_ZgfM/s320/gangnam-style.png" width="320" /></a></div>
<br />
Your barista’s doing it.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-Sf1BphIy2gM/UKM0BxGJVtI/AAAAAAAAAXs/-U7ukn7jPmM/s1600/gangnam-coffee.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="http://1.bp.blogspot.com/-Sf1BphIy2gM/UKM0BxGJVtI/AAAAAAAAAXs/-U7ukn7jPmM/s320/gangnam-coffee.png" width="320" /></a></div>
<br />
Google chairman Eric Schmidt is doing it.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-cWli096-o8M/UKM0HLi6PaI/AAAAAAAAAX0/g-3sFgfiYxo/s1600/gangnam-schmidt.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="http://4.bp.blogspot.com/-cWli096-o8M/UKM0HLi6PaI/AAAAAAAAAX0/g-3sFgfiYxo/s320/gangnam-schmidt.png" width="320" /></a></div>
<br />
It’s the viral video of 2012, holds the <a href="http://www.guinnessworldrecords.com/news/2012/9/gangnam-style-now-most-liked-video-in-youtube-history-44977/" target="_blank">Guinness world record for the most likes on YouTube</a> and has spawned more spoof videos
than any other this year.<br />
<br />
My point, other than being able to work Gangnam
Style into my presentation, is that all everyone wants to talk about
this year in the enterprise is BYOD. Sure, people still talk about
Cloud, but in the words of the Black Eyed Peas, that’s so two thousand and late.
So, the real title of my presentation is...<br />
<h2 style="text-align: left;">
How to secure the Gangnam Style of Enterprise IT </h2>
While we’re on Google, I thought I’d see what their algorithms thought about the BYO meme since we rely so much on search today. It’s a convenient, mildly scientific way to get at what’s top of mind in terms of things we want to know about or find solutions for.<br />
<br />
As most of you know, Google gives you suggestions as you type. Here’s what “bring your own” reveals.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-ZbrTFIgLays/UKM1jB4iVwI/AAAAAAAAAX8/aLr3cKk2iGE/s1600/google-byo.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="68" src="http://3.bp.blogspot.com/-ZbrTFIgLays/UKM1jB4iVwI/AAAAAAAAAX8/aLr3cKk2iGE/s320/google-byo.png" width="320" /></a></div>
<br />
Three out of the four suggestions are related to the same thing.<br />
<br />
Some come up with what’s known as the A to Z of Google search terms. Here’s one for “bring your own”.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-fucFOvoDA7I/UKM1yUSjMtI/AAAAAAAAAYE/g8k61NLehss/s1600/google-a-z-byo.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="245" src="http://4.bp.blogspot.com/-fucFOvoDA7I/UKM1yUSjMtI/AAAAAAAAAYE/g8k61NLehss/s320/google-a-z-byo.png" width="320" /></a></div>
<br />
There’s a few interesting ones on the list which I won’t comment on. The point of this is that you can classify the list into 2 distinct categories.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-BFbxNeVS2z4/UKM2EOOk0wI/AAAAAAAAAYM/EaobLX6MF10/s1600/google-a-z-lifestyle-tech.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="127" src="http://4.bp.blogspot.com/-BFbxNeVS2z4/UKM2EOOk0wI/AAAAAAAAAYM/EaobLX6MF10/s320/google-a-z-lifestyle-tech.png" width="320" /></a></div>
<br />
The driver for BYOD is essentially the combination of these categories crossing over into the enterprise.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-7w1nsT5fYv8/UKM2aJi-ETI/AAAAAAAAAYU/AvuVdMaOheM/s1600/byod-reason-equation.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="166" src="http://4.bp.blogspot.com/-7w1nsT5fYv8/UKM2aJi-ETI/AAAAAAAAAYU/AvuVdMaOheM/s320/byod-reason-equation.png" width="320" /></a></div>
<br />
But the key message I want to make is this.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-xVItPzf6BEo/UKM2nBUHaJI/AAAAAAAAAYc/O-lYiwUTCvA/s1600/cannot-deal-with-byod.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="50" src="http://1.bp.blogspot.com/-xVItPzf6BEo/UKM2nBUHaJI/AAAAAAAAAYc/O-lYiwUTCvA/s400/cannot-deal-with-byod.png" width="400" /></a></div>
<br />
That's right. <b>You cannot deal with BYOD by dealing with BYOD.</b> By the end of the presentation (blog post), it should be clear why this is true.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-v_tdOl96R2o/UKM3CBTzTKI/AAAAAAAAAYk/asZN9lvsCqc/s1600/have-you-heard-kubler-ross.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="52" src="http://3.bp.blogspot.com/-v_tdOl96R2o/UKM3CBTzTKI/AAAAAAAAAYk/asZN9lvsCqc/s400/have-you-heard-kubler-ross.png" width="400" /></a></div>
<br />
When I ask this question, almost everyone says "no". In reality, almost everyone has. We just know it better as the five stages of grief.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-Nfg2qsj7JHY/UKM3aUEItfI/AAAAAAAAAYs/8Rz4B-1qL2I/s1600/5-stages-of-grief.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="128" src="http://3.bp.blogspot.com/-Nfg2qsj7JHY/UKM3aUEItfI/AAAAAAAAAYs/8Rz4B-1qL2I/s320/5-stages-of-grief.png" width="320" /></a></div>
<br />
In speaking with organisations about BYOD, I’ve found they tend to go through the five stages.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-BlcH7GssLQ4/US4G_jU1zeI/AAAAAAAAAgA/pSd9CyNlOho/s1600/byod-denial.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="154" src="http://1.bp.blogspot.com/-BlcH7GssLQ4/US4G_jU1zeI/AAAAAAAAAgA/pSd9CyNlOho/s320/byod-denial.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
This is where IT says no. It’s all too difficult and presents too much of a risk to the organisation so it’s much easier just to deny everyone the privilege. They also pretend it’s not happening and hope that they will never have to deal with it once they’ve said no.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-KU4n787nbSY/UKM4SYn5NII/AAAAAAAAAY8/fpFqIhpUMeQ/s1600/byod-anger.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="160" src="http://4.bp.blogspot.com/-KU4n787nbSY/UKM4SYn5NII/AAAAAAAAAY8/fpFqIhpUMeQ/s320/byod-anger.png" width="320" /></a></div>
<br />
The “no” answer, usually falls on deaf ears. IT gets asked again and they keep saying “no”, until they get the question from people at the executive level. In fact, this is commonly the compelling reason that forces IT to relax their stance and find a way to get it done. I’ve actually sat in a meeting before with one of the large Australian banks and had the head of security step out of the meeting to take a call about the CEO wanting to get access to corporate email via their iPad. Of course, it got done despite the fact that it broke policy.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-QRNidK8zMgk/UKM4rlqpknI/AAAAAAAAAZE/RHsseURNy5c/s1600/byod-bargaining.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="141" src="http://3.bp.blogspot.com/-QRNidK8zMgk/UKM4rlqpknI/AAAAAAAAAZE/RHsseURNy5c/s320/byod-bargaining.png" width="320" /></a></div>
<br />
Once you make single exception, there are always other exceptions. Eventually, it becomes too difficult to manage and IT has to relent, but only to a certain extent. Usually, IT lets you have limited access and this starts with email. The interesting thing is that there is a <u>perception</u> that email is one of the least sensitive applications and hence presents minimal risk to the organisation. This is why it’s usually one of the first systems that are moved to the Cloud. The reality is that corporate email is one of the most sensitive applications any organisation has. The fact is however, this is usually what happens.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-6bVmmlM5opg/UKM47nsOSZI/AAAAAAAAAZM/_zrptW931jA/s1600/byod-depression.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="137" src="http://3.bp.blogspot.com/-6bVmmlM5opg/UKM47nsOSZI/AAAAAAAAAZM/_zrptW931jA/s320/byod-depression.png" width="320" /></a></div>
<br />
This is where IT realises that even though they thought they addressed the issue by compromising, an increasing number of people continue to go around them. Users are a smart bunch at getting around IT departments and IT security policy, especially when we have full control of the device we’re using. At this point, IT has 2 options:<br />
<ol style="text-align: left;">
<li>Stick their head in the sand, pretend it’s not happening and attempt to lock everything down thus getting in the way of business.</li>
<li>Deal with the situation at hand in a constructive, business-centric manner. We forget all too often that IT is a business enabler. IT security, should also be a business enabler.</li>
</ol>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-XcbuuBJaMvc/UKM5PuuqIRI/AAAAAAAAAZU/gAsJQkfZXj8/s1600/byod-acceptance.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="144" src="http://4.bp.blogspot.com/-XcbuuBJaMvc/UKM5PuuqIRI/AAAAAAAAAZU/gAsJQkfZXj8/s320/byod-acceptance.png" width="320" /></a></div>
<br />
Every organisation will get to this point whether they like it or not. It’s just a matter of time. To remain secure and evolve with the times, you have to. It’s better to go in with eyes wide open than to dig your heels in and pretend it’s not happening.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-pe-Ht4in-jQ/UKM5a3UzjUI/AAAAAAAAAZc/G32gEyzanps/s1600/byod-today.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="150" src="http://3.bp.blogspot.com/-pe-Ht4in-jQ/UKM5a3UzjUI/AAAAAAAAAZc/G32gEyzanps/s320/byod-today.png" width="320" /></a></div>
<br />
The reality today is that most organisations are somewhere between bargaining and acceptance, skewed towards the bargaining stage. The point to take away here is that when it comes to the freight train that is BYOD...<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://1.bp.blogspot.com/-_tdRuxKG_Hs/UKM6JyRpbiI/AAAAAAAAAZk/3a8FxQzrFno/s1600/byod-express.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="233" src="http://1.bp.blogspot.com/-_tdRuxKG_Hs/UKM6JyRpbiI/AAAAAAAAAZk/3a8FxQzrFno/s320/byod-express.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Photo credit: <a href="http://www.flickr.com/photos/locosteve/4552360219/" target="_blank">Steve Wilson</a></td></tr>
</tbody></table>
<br />
You can’t have a track that ends.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://1.bp.blogspot.com/-ElXuzFn_QTA/UKM6QvXb_fI/AAAAAAAAAZs/Ahfjh-eo4go/s1600/track-end.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="232" src="http://1.bp.blogspot.com/-ElXuzFn_QTA/UKM6QvXb_fI/AAAAAAAAAZs/Ahfjh-eo4go/s320/track-end.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Photo credit: <a href="http://www.flickr.com/photos/cassandrajowett/3118172050/" target="_blank">Cassandra Jowett</a></td></tr>
</tbody></table>
<br />
It has to look more like this.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://4.bp.blogspot.com/-k7r6065NqLU/UKM6ZZWp4YI/AAAAAAAAAZ0/kBCjwFn3Roo/s1600/track-options.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="233" src="http://4.bp.blogspot.com/-k7r6065NqLU/UKM6ZZWp4YI/AAAAAAAAAZ0/kBCjwFn3Roo/s320/track-options.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Photo credit: <a href="http://www.flickr.com/photos/elsie/10166671/" target="_blank">Les Chatfield</a></td></tr>
</tbody></table>
<br />
Where you have well defined paths, but allow flexibility to choose the one that is appropriate for the situation and destination.<br />
<br />
You can’t put a wall up or make it the end of the line otherwise people, usually the ones with the authority to make you change your stance, find ways around you. They will eventually replace you with someone who can be that creative "yes" person the modern enterprise needs.<br />
<br />
You may have noticed that I've been using the BYOD term a lot. But as I said up front, when you actually have to deal with it, you will quickly realise it’s actually about more than dealing with devices. To deal with BYOD, you have to handle a raft of other issues. BYOD is essentially about handling employees using what they choose for business purposes, not just a device of choice. It is about the Consumerisation of IT and its intersection with Enterprise IT.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-KBwxCTVCA-k/UKM7TE6lxxI/AAAAAAAAAZ8/YyQ-7cVCRno/s1600/byo-and-enterprise.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="60" src="http://1.bp.blogspot.com/-KBwxCTVCA-k/UKM7TE6lxxI/AAAAAAAAAZ8/YyQ-7cVCRno/s320/byo-and-enterprise.png" width="320" /></a></div>
<br />
Since we’re talking about transport, let me talk about airports.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://4.bp.blogspot.com/-vhwxdmKvH1Y/UKNeLdW5jxI/AAAAAAAAAaY/9F8Qwe5DFcM/s1600/airport.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="232" src="http://4.bp.blogspot.com/-vhwxdmKvH1Y/UKNeLdW5jxI/AAAAAAAAAaY/9F8Qwe5DFcM/s320/airport.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Photo credit: <a href="http://www.flickr.com/photos/mtl_shag/5799534248/" target="_blank">Oliver Mallich</a></td></tr>
</tbody></table>
<br />
Everyone generally knows how airports function, but we never take the time to think about it. We typically meander through because we want to get to our destination with as little fuss as possible. Airports are businesses and perform an essential function, but need to be self-sustainable from a financial standpoint. They provide infrastructure services to support the experiences we have in an airport; fuel for the planes, spaces for shops, airline lounges and so on. But when you strip everything back, there are two essential things about an airport that we cannot do without.<br />
<br />
The first is ensuring that passengers are able to get to their destination safely. As travellers, we want safety. Without safety, we would
not fly anywhere. That’s why we put up with the painful security
checks at every airport.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://4.bp.blogspot.com/-ibJUA_fb0ew/UKNkQn5MsQI/AAAAAAAAAa0/GaX-4ps9YhA/s1600/airport-security.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="233" src="http://4.bp.blogspot.com/-ibJUA_fb0ew/UKNkQn5MsQI/AAAAAAAAAa0/GaX-4ps9YhA/s320/airport-security.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Photo credit: <a href="http://www.flickr.com/photos/sixmilliondollardan/3382932556/" target="_blank">Inha Leex Hale</a></td></tr>
</tbody></table>
<br />
The second is ensuring that the airport experience is as pleasant as possible, even though it may not seem that way. As consumers, we are demanding and expect more than just
“pleasant”. Anything less than good and we complain that the airport is
not up to standard. We want to be impressed, even if we won't admit to it. For example, Kuala Lumpur
international airport has a jungle walk inside the terminal.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-DjePOcCRZ0A/UKNpDoyWj_I/AAAAAAAAAbQ/CniyMq3WEJI/s1600/klia-jungle.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="239" src="http://4.bp.blogspot.com/-DjePOcCRZ0A/UKNpDoyWj_I/AAAAAAAAAbQ/CniyMq3WEJI/s320/klia-jungle.png" width="320" /></a></div>
<br />
Back to safety; to minimise risk and ensure an acceptable level, airports and the relevant services within the terminal make us jump through all sorts of hoops to gain access to things. Airports control access to designated areas and services based on forms of identification combined with monitoring activity and observed behaviour. The only reason this works is because of identity.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-XZhJ92-8n0g/UKNqre3PCbI/AAAAAAAAAbY/b8n0bAx-Z0I/s1600/identity.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="293" src="http://1.bp.blogspot.com/-XZhJ92-8n0g/UKNqre3PCbI/AAAAAAAAAbY/b8n0bAx-Z0I/s320/identity.png" width="320" /></a></div>
<br />
But not just any identity. The key is that real-world identities are scalable.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://2.bp.blogspot.com/-rfgiYcI-dp0/UKNqzoLHjDI/AAAAAAAAAbg/vfLMo8_yzrI/s1600/scalable.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="233" src="http://2.bp.blogspot.com/-rfgiYcI-dp0/UKNqzoLHjDI/AAAAAAAAAbg/vfLMo8_yzrI/s320/scalable.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Photo credit: <a href="http://www.flickr.com/photos/stefanochiarelli/5375970643/" target="_blank">Stefano Chiarelli</a></td></tr>
</tbody></table>
<br />
If you’ve seen (or read) my <a href="http://bit.ly/RzS2sJ" target="_blank">Identity in an agile world</a> presentation, you’ll remember that the reason real world identities are scalable is because: for access to things, it doesn’t matter who I am; it matters what I am.<br />
<br />
This is why the fact that my boarding pass...<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-AhZRuS0pfTM/UKNtlwXmOfI/AAAAAAAAAcU/M892CygNks0/s1600/boarding-pass.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="155" src="http://3.bp.blogspot.com/-AhZRuS0pfTM/UKNtlwXmOfI/AAAAAAAAAcU/M892CygNks0/s320/boarding-pass.png" width="320" /></a></div>
<br />
Gets me onto a plane...<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://2.bp.blogspot.com/-yn52k9vC1iA/UKNt0sfolKI/AAAAAAAAAcc/ik4DPPYsICw/s1600/plane-at-gate.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="232" src="http://2.bp.blogspot.com/-yn52k9vC1iA/UKNt0sfolKI/AAAAAAAAAcc/ik4DPPYsICw/s320/plane-at-gate.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Photo credit: <a href="http://www.flickr.com/photos/onsoe/6846131099/" target="_blank">Jay-Oh</a></td></tr>
</tbody></table>
<br />
Has nothing to
do with me being Ian Yip. It's because the boarding pass is an acceptable credential to gain access to the plane as a passenger. It just needs to be genuine and have the correct date and flight number on it. Even when it is cross-checked with a passport on international flights prior to boarding, the name on the boarding pass is irrelevant. The staff at the gate are simply checking that they match, which raises the level of assurance of the credential (boarding pass) I'm using. <br />
<br />
When we fly, we have a choice. Imagine if the only choice we had when we fly was this plane.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://1.bp.blogspot.com/-ZPvGREkWE-M/UKNwMr89B6I/AAAAAAAAAck/Tmt8B5mdZDM/s1600/military-plane-flying.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="232" src="http://1.bp.blogspot.com/-ZPvGREkWE-M/UKNwMr89B6I/AAAAAAAAAck/Tmt8B5mdZDM/s320/military-plane-flying.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Photo credit: <a href="http://www.flickr.com/photos/eyeonthesky/846636636/" target="_blank">Tim Bunce</a></td></tr>
</tbody></table>
<br />
And this is where you sit.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://3.bp.blogspot.com/--GjCfr6WZbs/UKNwS9it4RI/AAAAAAAAAcs/tGUcYyLfWL4/s1600/military-plane-ground.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="232" src="http://3.bp.blogspot.com/--GjCfr6WZbs/UKNwS9it4RI/AAAAAAAAAcs/tGUcYyLfWL4/s320/military-plane-ground.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Photo credit: <a href="http://www.flickr.com/photos/wbaiv/5626745758/" target="_blank">Bill Abbott</a></td></tr>
</tbody></table>
<br />
Would you want to use it? What would you think if that was your only option? Would you pay more to fly this in this other plane?<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://1.bp.blogspot.com/-lG_iCA1kFP8/UKNx0ZASdbI/AAAAAAAAAc0/M2ZPttnPenI/s1600/plane-in-air.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="233" src="http://1.bp.blogspot.com/-lG_iCA1kFP8/UKNx0ZASdbI/AAAAAAAAAc0/M2ZPttnPenI/s320/plane-in-air.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Photo credit: <a href="http://www.flickr.com/photos/vox_efx/3578322709/" target="_blank">Vox Efx</a></td></tr>
</tbody></table>
<br />
And your seats looked like this?<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://4.bp.blogspot.com/-7IoRzsoFSSA/UKNx7psQlsI/AAAAAAAAAc8/Tz7_PTlQlxM/s1600/first-class-cabin.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="233" src="http://4.bp.blogspot.com/-7IoRzsoFSSA/UKNx7psQlsI/AAAAAAAAAc8/Tz7_PTlQlxM/s320/first-class-cabin.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Photo credit: <a href="http://www.flickr.com/photos/monstermunch/4942508727/" target="_blank">Andy Mitchell</a></td></tr>
</tbody></table>
<br />
Right about now, you're probably thinking...<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-bofUNQlG_uc/UKNyJ6vU-oI/AAAAAAAAAdE/-Dw6AO7Yv6g/s1600/why-airports.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="26" src="http://3.bp.blogspot.com/-bofUNQlG_uc/UKNyJ6vU-oI/AAAAAAAAAdE/-Dw6AO7Yv6g/s400/why-airports.png" width="400" /></a></div>
<br />
In the context of the topic at hand, various aspects our experiences in airports are relevant. If you think about the airport as being the organisation, the rest of the things on this list map logically.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-R-ln-O9ryrs/UKNysdYx0rI/AAAAAAAAAdM/gF_GJ4IP0oI/s1600/airport-tech-mapping.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="232" src="http://3.bp.blogspot.com/-R-ln-O9ryrs/UKNysdYx0rI/AAAAAAAAAdM/gF_GJ4IP0oI/s320/airport-tech-mapping.png" width="320" /></a></div>
<br />
The key point being that we have a choice of airlines, just like we have a choice of devices if corporate policies allow. Airports manage to remain secure despite the choices they present us. Sure there are inconveniences we have to deal with but we pay the price for the benefits.<br />
<br />
Now, let’s consider this point. Would we lock the planes down but let everyone wander around freely? This only works at airshows, not in a real airport. We would never use an airport if this was the case. So why do so many organisations attempt to deal with BYOD using only Mobile Device Management (MDM) technologies? Doing so is effectively locking the plane down but leaving everything else open. MDM is a tactical feature, not an organisational strategy.<br />
<br />
To deal with BYOD and subsequently the consumerisation of IT, you need all the other things that make an airport secure while balancing it with the flexibility of experiences a good airport provides. In other words...<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-DHcCPx_JKbo/UKXNm16-BbI/AAAAAAAAAdw/yRTy_vTD3RY/s1600/byod-managing-mobile-employees.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="45" src="http://3.bp.blogspot.com/-DHcCPx_JKbo/UKXNm16-BbI/AAAAAAAAAdw/yRTy_vTD3RY/s400/byod-managing-mobile-employees.png" width="400" /></a></div>
<br />
Remember the jungle within Kuala Lumpur’s terminal?<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-3on0HQXProk/UKXN9tpSm9I/AAAAAAAAAd4/veVIWy1CrlU/s1600/klia-jungle-remember-this.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="239" src="http://4.bp.blogspot.com/-3on0HQXProk/UKXN9tpSm9I/AAAAAAAAAd4/veVIWy1CrlU/s320/klia-jungle-remember-this.png" width="320" /></a></div>
<br />
Airports add services like this to make the experience better. It balances out all the inconveniences we have to endure in making our way through airports. Psychologically, this is similar to why employees are starting make their own choices when using applications to do their jobs.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-yd2Q30OJqSs/UKXO672oVbI/AAAAAAAAAeA/p38CNX3O3sw/s1600/employees-want-better-applications.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="36" src="http://3.bp.blogspot.com/-yd2Q30OJqSs/UKXO672oVbI/AAAAAAAAAeA/p38CNX3O3sw/s400/employees-want-better-applications.png" width="400" /></a></div>
<br />
How many of us have tried to use an enterprise application (e.g. ERP or CRM) and complained about how bad it was? They end up not getting used and we revert to something basic like spreadsheets, which aren't all that nice to use anyway. We’ve been behaving this way for quite some time and have been forced to get used to it due to the lack of available options. The difference today is that the innovation in the mobile space has extended to applications and we’re able to use great, consumer-grade applications for business needs (which aren't necessarily sanctioned by corporate IT). This is the driver behind users bringing their own applications, or if we follow the BYO meme, the Bring Your Own Application (BYOA) trend that is upon us.<br />
<br />
Consumerisation is now extending to our social logins. The following options are arguably the dominant identities we use online: Facebook, Twitter, Google, LinkedIn.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-1ruzskbfkFk/UKXP2PDcARI/AAAAAAAAAeI/09nHgtXUGMo/s1600/social-identity-providers.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="283" src="http://1.bp.blogspot.com/-1ruzskbfkFk/UKXP2PDcARI/AAAAAAAAAeI/09nHgtXUGMo/s320/social-identity-providers.png" width="320" /></a></div>
<br />
Given the lines between personal and business are starting to blur, it is inevitable that our social identities start to extend into the enterprise. While we may not be at the stage where they can be used as being highly trusted identifiers for critical systems, they do provide a way for enterprises to use a lightweight identifier for their employees and customers.<br />
<br />
In fact, a lot of organisations are looking at using social logins for their customers. Retailers are the most common type of organisation here, although the UK government <a href="http://www.guardian.co.uk/technology/2012/oct/04/facebook-social-media-identity-proof" target="_blank">announced recently</a> that they were looking at allowing this for citizens. Washington State in the US <a href="http://www.huffingtonpost.com/2012/07/18/washington-facebook-voter-registration_n_1682366.html" target="_blank">allows voters to register through Facebook</a>. We haven’t gotten to the stage where most organisations are actively trying to implement the same thing for their employees, but given that many will have the foundational components in place for their customers, it’s not a stretch to extend it to employees and provide a lightweight identifier internally for less critical systems without forcing employees to sign in. For example, my iPad is signed in to Twitter by default at the operating system layer. With the latest release of iOS, Apple added Facebook to sit side-by-side with our Twitter identity. In other words, it's relatively easy to Bring Your Own Identity (BYOI) to your day job, especially when you BYOD.<br />
<br />
What about Cloud? Could employees conceivably bring their own Cloud?<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-WT-X_1YPt1k/UKXQ0K6aCDI/AAAAAAAAAeQ/VqmCFCms8LI/s1600/cloud.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="225" src="http://3.bp.blogspot.com/-WT-X_1YPt1k/UKXQ0K6aCDI/AAAAAAAAAeQ/VqmCFCms8LI/s320/cloud.png" width="320" /></a></div>
<br />
Guess what? It’s already happening with business units procuring their own SaaS applications without the knowledge of IT. This has been caused by IT security saying no all the time and instead of trying to negotiate, they simple use a credit card and pay for a service with the approval of the business head. This is more common than most of us realise.<br />
<br />
I said “pay”, but this typically starts off free. I’ll give you a simple example. Have you used Google Apps or Dropbox to store documents so you can easily collaborate with colleagues? It’s for business use and it’s free! Guess what? You’re bringing your own cloud in the form of SaaS. Again, instead of saying “no”, IT security departments are better off saying “yes” and working with the business users to mitigate the risks this poses.<br />
<br />
Could we go further? What about the more technically minded that aren’t necessarily part of IT spinning up a new server instance within a Cloud service provider and building their own applications on top of this without the involvement of IT? This will be less common than bringing your own Cloud in the form of SaaS, but this vector actually poses more of a security risk than SaaS because someone who is technical enough to do so isn’t necessarily trained in IT security. In fact, the unfortunate situation we have today is that many technical people and developers aren’t sufficiently trained in IT security. This is something that urgently needs to be fixed. Also, the further down the infrastructure stack you go, the harder it is to secure and that's exactly what happens when someone spins up new IT infrastructure in the Cloud.<br />
<br />
Apart from BYOD, I’ve mentioned a few other BYO acronyms.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-fa7Zk8FWaQM/UKXSK33mSQI/AAAAAAAAAeY/DIhO7nRtphA/s1600/byo-list.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="193" src="http://4.bp.blogspot.com/-fa7Zk8FWaQM/UKXSK33mSQI/AAAAAAAAAeY/DIhO7nRtphA/s320/byo-list.png" width="320" /></a></div>
<br />
This is by no means the final list. It’s still early days and the list will evolve. Organisations need to be agile enough to deal with trends and issues as they arise. As many of us found with Cloud and BYOD, these things creep up a lot more quickly than we expect and if you aren’t prepared, it makes things difficult, especially when it comes to security.<br />
<br />
You can generalise the various approaches to dealing with BYO* into the following list, three of which are tactical and one of which is strategic.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-nhO_ymGI5h8/UKXSgAV3f_I/AAAAAAAAAeg/4gmdl-BFTDs/s1600/different-approaches.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="155" src="http://3.bp.blogspot.com/-nhO_ymGI5h8/UKXSgAV3f_I/AAAAAAAAAeg/4gmdl-BFTDs/s320/different-approaches.png" width="320" /></a></div>
<br />
By tactical, I mean that you can address one aspect of security, but you will find holes in other areas. It’s better to adopt the strategic approach so that you can react more quickly and focus on what it is you’re trying to do. <b>Strategic approaches allow you to address a larger "risk and threat surface area" with less long-term spend.</b><br />
<br />
In focusing, you should be thinking about what you are actually trying to protect. In reality, it’s the information.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-AQ0BwpFK-UI/UKXSuIUtdOI/AAAAAAAAAeo/iZaJPpH2e5o/s1600/what-are-you-trying-to-protect.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="146" src="http://1.bp.blogspot.com/-AQ0BwpFK-UI/UKXSuIUtdOI/AAAAAAAAAeo/iZaJPpH2e5o/s320/what-are-you-trying-to-protect.png" width="320" /></a></div>
<br />
Notice how I’ve said information and not just data. There’s a subtle distinction best illustrated by a joke about <a href="http://pastebin.com/2qbRKh3R" target="_blank">all the PINs in the world being exposed</a>. It was simply a list of all the numbers from 0000 to 9999. That list is simply data. Add things like account numbers to the PIN and you have information. <b>The difference between information and data is context.</b><br />
<br />
What this means is that the strategic approach to cover your bases in the long term and become agile, is to focus on protecting the information. You do that by controlling access to the information, knowing about the identities accessing the information, what is being done to the information, when things are being done and subsequently being able to react quickly when appropriate.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-cQjNgP6Ivuk/UKXTdvmPCwI/AAAAAAAAAew/lbUGTLBZn8o/s1600/byo-smart-agile-strategic-option.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="159" src="http://3.bp.blogspot.com/-cQjNgP6Ivuk/UKXTdvmPCwI/AAAAAAAAAew/lbUGTLBZn8o/s320/byo-smart-agile-strategic-option.png" width="320" /></a></div>
<br />
I’ve already mentioned a few challenges. Here’s a list of some important ones that need to be addressed if you want to deal with the consumerisation of IT within the enterprise effectively.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-Q3DiWK9cGII/UKXT9OHEp1I/AAAAAAAAAe4/UgXKDnjR0Mg/s1600/byo-challenges.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="259" src="http://3.bp.blogspot.com/-Q3DiWK9cGII/UKXT9OHEp1I/AAAAAAAAAe4/UgXKDnjR0Mg/s320/byo-challenges.png" width="320" /></a></div>
<br />
Many of them have to do with human behaviour, which cannot be fixed by technology alone. It’s about altering culture. It’s about rethinking security.<br />
<br />
There are two on this list that I want to focus on for a few moments:<br />
<br />
<ul style="text-align: left;">
<li>The first is skills. As your IT environment evolves, so do the skills required. One of the biggest challenges enterprises face is that many of people with the skills required are shying away from working in the enterprise due to the perceived lack of innovation. They prefer to work for small companies. The challenge for enterprises is to change that perception and you do that by changing the culture and the way you do IT.</li>
<li>The second is the tricky issue of privacy. Given that devices hold a lot of personal data, it becomes paramount that organisations do not store employee personal data in the enterprise. In fact, one of the reasons many MDM deployments fail is due to the privacy concerns of employees and the concern that their employers are monitoring them during non-business hours. On the other hand, many organisations don’t want anything to do with employee personal information due to potential legal ramifications they may be subject to. Inevitably, for things to work, there needs to be compromise, but not at the expense of the requirement to NOT use more personal information in a business context than required or allowed (by the employee and regulatory requirements).</li>
</ul>
<br />
That said, there are benefits to be had. I’ve already mentioned a few, but here is a list of the top 5 benefits many organisations cite.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-kjfmwDOKLIg/UKXWAo_rlAI/AAAAAAAAAfA/GiQbZT4QLb4/s1600/byo-benefits.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="236" src="http://3.bp.blogspot.com/-kjfmwDOKLIg/UKXWAo_rlAI/AAAAAAAAAfA/GiQbZT4QLb4/s320/byo-benefits.png" width="320" /></a></div>
<br />
Notice I don’t have something commonly cited in the list of benefits and that is in the reduction of hardware costs. It seems logical that in not having to buy employees new equipment, you save money. But these costs will manifest themselves in other ways, the most obvious being the expenditure required in dealing with BYO.<br />
<br />
Here’s a list of things that will help secure the Gangnam Style of the enterprise.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-YdzIjoRq-R0/UKXWSGkZ1lI/AAAAAAAAAfI/mFKV2oFhkaU/s1600/byo-tips.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="230" src="http://1.bp.blogspot.com/-YdzIjoRq-R0/UKXWSGkZ1lI/AAAAAAAAAfI/mFKV2oFhkaU/s320/byo-tips.png" width="320" /></a></div>
<br />
It’s not an exhaustive list, nor are they all appropriate for every organisation, but it’s a good starting point. To expand on each in the list:<br />
<br />
<ul style="text-align: left;">
<li><b>Evolve from no people to creative yes people</b> - I’ve alluded to this a few times. Stop saying no. Say yes and be creative about mitigating the risks or people will go around you. Also, your boss will fire you and hire someone who can say yes while managing risk.</li>
<li><b>Have an acceptable use policy for devices that is easy to understand</b> - The first step down the BYO journey tends to be the drafting of a policy. But it is essential that it’s easy to understand. How many times have we blindly agreed to a policy because it’s too difficult to understand?</li>
<li><b>Enforce access control policies</b> - These should rely on identity, context and policy to protect resources. Do not allow a device to access resources if systems cannot determine the user’s identity, if it does not meet compliance standards or if it does not have prerequisite software installed. Apply context by restricting access based on factors such as location and whether the connection is encrypted.</li>
<li><b>Automate the remediation process</b> - Make it as simple as possible for the user to ensure device compliance by automating a majority of the remediation process. Do not rely on the user to know that they need to download and install a list of software components.</li>
<li><b>Monitor events and activities</b> - Monitor all devices accessing resources on the corporate network using a Security Information and Event Management (SIEM) solution that can provide auditable, actionable intelligence and can be tied to identities. In an environment filled with partially trusted, potentially compromised devices, visibility is paramount and incident response time critical.</li>
<li><b>Use scalable identities</b> - Reduce operational overhead in environments with many identity sources in a secure, standards-based manner by federating user identities across segmented zones and rely on trust-levels to enforce access controls. As an example, consider the overlap between internal employee identities and their online identities that I alluded to earlier when talking about BYOI. Users with their own devices are usually already logged in to their online accounts. For ease of use and transparent single sign-on, security policies can be implemented to support levels of assurance (LOA). If an employee is already signed into Twitter, internal applications can utilise that identity, but at a lower level of trust. So, an employee can potentially use their Twitter credentials to access non-sensitive parts of the intranet. But if they want to access corporate email, they are required to provide their employee credentials thus enforcing a higher LOA (thus "stepping-up" their authentication level) and asserting with greater confidence (and reduced risk) that the employee is who they claim to be.</li>
<li><b>Provide secure devices</b> - An alternative to allowing employees to buy and bring their own devices is to let them pick what they want and pay for it with the trade-off being that they have to allow the organisation to load required software and implement relevant controls based on IT security policies. This presents a win-win situation for both organisation and employee. They use a device of their choice without having to pay for it and can access the corporate environment in a secure and compliant manner.</li>
<li><b>Encrypt sensitive information</b> - Encrypt any information placed on a non-standard device that is deemed to be company property. This may include the employee’s corporate email.</li>
</ul>
<br />
In summary, if you don’t remember anything else, please at least keep the following 5 things front of mind.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-ZOg3uIMZi7E/UKXXmMja2PI/AAAAAAAAAfQ/AhYVl21csTw/s1600/byo-summary.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="220" src="http://2.bp.blogspot.com/-ZOg3uIMZi7E/UKXXmMja2PI/AAAAAAAAAfQ/AhYVl21csTw/s320/byo-summary.png" width="320" /></a></div>
<br /></div>
Ianhttp://www.blogger.com/profile/07620054411151781462noreply@blogger.com0tag:blogger.com,1999:blog-36930068.post-51218484453163308402012-11-13T23:02:00.000+11:002012-11-14T13:14:39.054+11:00Identity in an agile world<div dir="ltr" style="text-align: left;" trbidi="on">
This year, the public presentation I gave more than any other was titled: "Identity in an agile world". I put this together specifically for events in <a href="http://www.cso.com.au/breakfast/" target="_blank">Sydney, Melbourne</a>, <a href="http://www.netiqsecurityap.com/" target="_blank">Singapore, Kuala Lumpur, Wellington, Auckland, Bangalore, Mumbai</a>, Taiwan and Hong Kong.<br />
<br />
The most common question after each event was whether we could provide a recording of the session. The best I could do at the time was to send the slide deck to attendees. The next best thing is what I'm about to do: a blog post in the style of a presentation.<br />
<br />
As this is a presentation masquerading as a blog post, it will be different to my usual posts. There are a bunch of images littered throughout, which are all slides from my presentation deck (I've actually omitted a few, but this shouldn't affect the overall content). As a result, you'll see some text as images because they were slides. I've kept it this way instead of typing everything out to give you a better feel for the actual presentation.<br />
<br />
<i>Note: This was not intended as a technical presentation. There's some IAM101 in here too, so feel free to skim when required.</i><br />
<br />
<hr />
<br />
As enterprise trends go in 2012, Cloud and mobility have dominated the headlines. Almost every survey, study, whitepaper and article you read will talk about the pressure organisations are feeling in trying to deal with the seemingly unmanageable. Of course, the increased sophistication and frequency of attacks adds to the pressure. Top it off with further reduced budgets (which seems to be an issue regardless of the year) and IT departments having to do more with less and you very quickly have everyone in the room collectively shrugging.<br />
<br />
If you ask anyone who has had to deal with these pressures, they will tell you that scalability is paramount. If you cannot scale, forget about it. To scale, you need to be agile, not just from a security standpoint, but from an organisational standpoint. IT departments need to be able to integrate and secure new systems quickly and also react to issues, risks and requirements much faster than they are used to. If they don’t, business users will go around them and do things themselves.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-BaG1GLKyhPk/UKHc7zvetnI/AAAAAAAAAQs/MGYl-JP4w4k/s1600/it-maintain-control.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="138" src="http://4.bp.blogspot.com/-BaG1GLKyhPk/UKHc7zvetnI/AAAAAAAAAQs/MGYl-JP4w4k/s320/it-maintain-control.png" width="320" /></a></div>
<br />
The biggest concern facing organisations however, is security. How do you secure something which you do not have full control over? The enterprise perimeter’s been disappearing for some time now, but I think we can all agree that the traditional enterprise perimeter is well and truly gone when Cloud and mobility come into play.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-HDs4L25WQ6s/UKHdekLz8II/AAAAAAAAAQ0/EQF-6DYFgOA/s1600/no-perimeter.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="139" src="http://2.bp.blogspot.com/-HDs4L25WQ6s/UKHdekLz8II/AAAAAAAAAQ0/EQF-6DYFgOA/s320/no-perimeter.png" width="320" /></a></div>
<br />
There’s a popular school of thought that says identity is the new perimeter.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-8t3Nwn2fQ1Y/UKHeLEQnuLI/AAAAAAAAAQ8/ni0-YeN0nuc/s1600/identity-perimeter.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="141" src="http://1.bp.blogspot.com/-8t3Nwn2fQ1Y/UKHeLEQnuLI/AAAAAAAAAQ8/ni0-YeN0nuc/s320/identity-perimeter.png" width="320" /></a></div>
<br />
That’s one way to look at it, but it's the wrong perspective even though I don't disagree with it from a fundamental standpoint. It's wrong because it means we’re still thinking about perimeters. We must think of identity as a foundation on top of which enterprise security is built. This way, we no longer need to worry about whether there is a perimeter that you can control.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-vhExyuRlEG8/UKHej50Ii2I/AAAAAAAAARE/r7LTElHAc1U/s1600/identity-foundation.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="127" src="http://3.bp.blogspot.com/-vhExyuRlEG8/UKHej50Ii2I/AAAAAAAAARE/r7LTElHAc1U/s320/identity-foundation.png" width="320" /></a></div>
<br />
Identity management as a discipline can be very complex. Like most things, I find it easier to simplify. All we’re trying to do is to provide auditable access to protected resources that we can track, regardless of where we’re coming from and what we’re using to access the resources. That’s it.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-gaZhbMfjvsg/UKHgivRWKdI/AAAAAAAAARM/bnH1s-6xil8/s1600/auditable-visible-access.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="111" src="http://1.bp.blogspot.com/-gaZhbMfjvsg/UKHgivRWKdI/AAAAAAAAARM/bnH1s-6xil8/s320/auditable-visible-access.png" width="320" /></a></div>
<br />
Before I move on, let’s run through a quick history lesson of the Identity and Access Management (IAM) industry. This is an extremely simplified version so please forgive any omissions.<br />
<br />
The last major paradigm shift in computing before this one we are currently experiencing came about as a result of the move towards distributed systems from primarily mainframe environments. With that came a problem with identities being stored in multiple places and having no way to manage them in a practical way.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-wBr7wddVGBI/UKHhENMKykI/AAAAAAAAARU/qRVJZ6pLLG4/s1600/siloes-of-identity.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="214" src="http://1.bp.blogspot.com/-wBr7wddVGBI/UKHhENMKykI/AAAAAAAAARU/qRVJZ6pLLG4/s320/siloes-of-identity.png" width="320" /></a></div>
<br />
So we decided to attempt using centralised directories for everything. We said: “hey, let’s just have a single identity store and make everything point there”.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-aVYb291xiGQ/UKHha8TcllI/AAAAAAAAARc/49ztfqac3KA/s1600/centralised-directory.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="265" src="http://4.bp.blogspot.com/-aVYb291xiGQ/UKHha8TcllI/AAAAAAAAARc/49ztfqac3KA/s320/centralised-directory.png" width="320" /></a></div>
<br />
It made sense at the time, but this was not always practical or even feasible. What this did do was reduce the number of identity stores. But we still had the siloed identity issue. To address this, we then decided to use synchronisation tools.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-syYSgV_L0xA/UKHhwpv_hXI/AAAAAAAAARk/y5COVCLU8WY/s1600/identity-sync.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="281" src="http://3.bp.blogspot.com/-syYSgV_L0xA/UKHhwpv_hXI/AAAAAAAAARk/y5COVCLU8WY/s320/identity-sync.png" width="320" /></a></div>
<br />
This worked just fine until those troublesome business folks got involved and wanted to wrap process around it. That’s essentially how we got to user provisioning solutions.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-kVp9HUWrLdM/UKHiDsAiT4I/AAAAAAAAARs/-SOpv4WHGpg/s1600/user-provisioning.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="301" src="http://3.bp.blogspot.com/-kVp9HUWrLdM/UKHiDsAiT4I/AAAAAAAAARs/-SOpv4WHGpg/s320/user-provisioning.png" width="320" /></a></div>
<br />
Once we had a process-oriented way to move our identities around, we then had to figure out how to control access to resources while hiding the nastiness from our users but maintaining an acceptable level of security. This gave us username/password authentication augmented with second and third factors, single sign-on and access control solutions to all these systems that we needed to use for our jobs.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-aQr1JXMpYfE/UKHiU0cldKI/AAAAAAAAAR0/ixAH5G0NDR0/s1600/authn-authz-sso,png.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="218" src="http://2.bp.blogspot.com/-aQr1JXMpYfE/UKHiU0cldKI/AAAAAAAAAR0/ixAH5G0NDR0/s320/authn-authz-sso,png.png" width="320" /></a></div>
<br />
Here’s a consolidated view of what I’ve just explained; the technical IAM big picture.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-A6_nPBgvJL4/UKHinz5ngmI/AAAAAAAAAR8/TlUBApvtUSE/s1600/iam-tech-big-picture.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="258" src="http://2.bp.blogspot.com/-A6_nPBgvJL4/UKHinz5ngmI/AAAAAAAAAR8/TlUBApvtUSE/s320/iam-tech-big-picture.png" width="320" /></a></div>
<br />
This is a very enterprise-centric view of the world. So what happens when you throw in a few new challenges?<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-tnrHcJaYg4U/UKHjYWZWkYI/AAAAAAAAASE/yWEUFGAGabc/s1600/iam-and-new-pressures.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="173" src="http://3.bp.blogspot.com/-tnrHcJaYg4U/UKHjYWZWkYI/AAAAAAAAASE/yWEUFGAGabc/s320/iam-and-new-pressures.png" width="320" /></a></div>
<br />
Other than Cloud and mobility, we have to deal with audit, governance and compliance requirements and locking down those pesky privileged users that can do anything they want. Ideally, we’d like to re-use what we’ve already implemented. But as I alluded to earlier, we can only use what we already have if the current infrastructure will scale. In addition, we need to think about this a little differently; we need a scalable, agile identity.<br />
<br />
We need to wrap our minds around this new-fangled way to think about IAM, but where do we find a scalable identity management system? What is a scalable, agile identity?<br />
<br />
Like many other things, we can actually borrow from the real world because that’s where things generally work. We’ve actually had one for many years.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-0zsyqEcj3n8/UKHkaO4aaZI/AAAAAAAAASM/7oMyYSWKgyM/s1600/au-passport.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="http://1.bp.blogspot.com/-0zsyqEcj3n8/UKHkaO4aaZI/AAAAAAAAASM/7oMyYSWKgyM/s320/au-passport.png" width="253" /></a></div>
<br />
A passport is the primary form of identification for most of us; it is typically the strongest physical identification method we have. It asserts that I’m a citizen of this country.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-SixDCWk5tAo/UKHktOHkXDI/AAAAAAAAASU/4K5Eyfm-ZzE/s1600/australia.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="272" src="http://2.bp.blogspot.com/-SixDCWk5tAo/UKHktOHkXDI/AAAAAAAAASU/4K5Eyfm-ZzE/s320/australia.png" width="320" /></a></div>
<br />
Whenever I get on a plane...<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-lHzjjSFHWF0/UKHlPMnVKHI/AAAAAAAAASc/IpLAckiYe00/s1600/wing.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="203" src="http://1.bp.blogspot.com/-lHzjjSFHWF0/UKHlPMnVKHI/AAAAAAAAASc/IpLAckiYe00/s320/wing.png" width="320" /></a></div>
<br />
To get to a different country...<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-tu_H6szRaUk/UKHlnriwGhI/AAAAAAAAASk/NwdSW36gOS4/s1600/world.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="190" src="http://2.bp.blogspot.com/-tu_H6szRaUk/UKHlnriwGhI/AAAAAAAAASk/NwdSW36gOS4/s320/world.png" width="320" /></a></div>
<br />
The officers at the airport let me in because they recognise the passport as being genuine (by performing relevant checks)...<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-1ps3P6ATokU/UKHl8YOaPgI/AAAAAAAAASs/R9Fgt5FmMLc/s1600/border-security-airport.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="227" src="http://1.bp.blogspot.com/-1ps3P6ATokU/UKHl8YOaPgI/AAAAAAAAASs/R9Fgt5FmMLc/s320/border-security-airport.png" width="320" /></a></div>
<br />
And that it has been issued by a Government they trust, in my case Australia.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-DXk_KfiCnpM/UKHminaKXeI/AAAAAAAAAS0/Gm144YH2EJU/s1600/au-parliament-house.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="197" src="http://1.bp.blogspot.com/-DXk_KfiCnpM/UKHminaKXeI/AAAAAAAAAS0/Gm144YH2EJU/s320/au-parliament-house.png" width="320" /></a></div>
<br />
This is another form of identification.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-FZAusPzjlis/UKHnSc7u5YI/AAAAAAAAAS8/-p224IlDvKY/s1600/nsw-drivers-licence.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="204" src="http://1.bp.blogspot.com/-FZAusPzjlis/UKHnSc7u5YI/AAAAAAAAAS8/-p224IlDvKY/s320/nsw-drivers-licence.png" width="320" /></a></div>
<br />
For most of us, this is our secondary form of identification. It also happens to be the one we use more often. This one says something else about me; that I live in this city.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-guriqvwW50w/UKHn8Wg8DLI/AAAAAAAAATE/u5IRSbnCs7w/s1600/sydney.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="199" src="http://4.bp.blogspot.com/-guriqvwW50w/UKHn8Wg8DLI/AAAAAAAAATE/u5IRSbnCs7w/s320/sydney.png" width="320" /></a></div>
<br />
Both forms of identification state when I was born, but...<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-I3KzzUpBP3Y/UKHo17pmjeI/AAAAAAAAATM/cwGlBMGUcbY/s1600/no-one-cares-how-old-i-am.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="79" src="http://2.bp.blogspot.com/-I3KzzUpBP3Y/UKHo17pmjeI/AAAAAAAAATM/cwGlBMGUcbY/s320/no-one-cares-how-old-i-am.png" width="320" /></a></div>
<br />
<div style="text-align: center;">
They only care that I’m...</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-cRazyDcokZM/UKHo-D1__oI/AAAAAAAAATU/xSYqzWmKg1E/s1600/over-13.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-cRazyDcokZM/UKHo-D1__oI/AAAAAAAAATU/xSYqzWmKg1E/s1600/over-13.png" /></a></div>
<br />
<div style="text-align: center;">
and</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-C8Ugi9_lC_k/UKHpFsBb3lI/AAAAAAAAATc/OkxS3vKBEdE/s1600/over-18.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-C8Ugi9_lC_k/UKHpFsBb3lI/AAAAAAAAATc/OkxS3vKBEdE/s1600/over-18.png" /></a></div>
<br />
<div style="text-align: center;">
and</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-sfbKu8RTwos/UKHpOa7xfBI/AAAAAAAAATk/boZwXGozQls/s1600/over-21.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-sfbKu8RTwos/UKHpOa7xfBI/AAAAAAAAATk/boZwXGozQls/s1600/over-21.png" /></a></div>
<br />
<div style="text-align: center;">
and</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-QCkydmnaEF0/UKHpUuQSkoI/AAAAAAAAATs/S3dCUWlIN5Q/s1600/under-65.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-QCkydmnaEF0/UKHpUuQSkoI/AAAAAAAAATs/S3dCUWlIN5Q/s1600/under-65.png" /></a></div>
<br />
Why? Let’s look at an example. This is the Bellagio in Las Vegas.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-4Tms0xa-7Qc/UKHpqbvNeUI/AAAAAAAAAT0/eNnhUn45K74/s1600/bellagio.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="229" src="http://2.bp.blogspot.com/-4Tms0xa-7Qc/UKHpqbvNeUI/AAAAAAAAAT0/eNnhUn45K74/s320/bellagio.png" width="320" /></a></div>
<br />
When I go to a casino in the US, they care that I’m over 21. That’s the condition of entry. But they won’t accept this as proof.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-mfM5lM9tNDc/UKHra64QOqI/AAAAAAAAAT8/D8D-2lGudk8/s1600/drivers-licence-no.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="208" src="http://2.bp.blogspot.com/-mfM5lM9tNDc/UKHra64QOqI/AAAAAAAAAT8/D8D-2lGudk8/s320/drivers-licence-no.png" width="320" /></a></div>
<br />
They need this.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-kyHK4fCEXwA/UKHrh_RSMvI/AAAAAAAAAUE/HasuP-VNhTo/s1600/passport-yes.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="http://2.bp.blogspot.com/-kyHK4fCEXwA/UKHrh_RSMvI/AAAAAAAAAUE/HasuP-VNhTo/s320/passport-yes.png" width="273" /></a></div>
<br />
Here’s another example. Whenever I want to go to one of these places...<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-xiLFOVdrMlo/UKIM0Bn9_7I/AAAAAAAAAUc/QDdynNbgx_E/s1600/bar.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="http://1.bp.blogspot.com/-xiLFOVdrMlo/UKIM0Bn9_7I/AAAAAAAAAUc/QDdynNbgx_E/s320/bar.png" width="320" /></a></div>
<br />
To have one of these...<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-QAEBSkJjqsY/UKINCDM8v-I/AAAAAAAAAUk/A5qtYhy4aoI/s1600/beer.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="239" src="http://1.bp.blogspot.com/-QAEBSkJjqsY/UKINCDM8v-I/AAAAAAAAAUk/A5qtYhy4aoI/s320/beer.png" width="320" /></a></div>
<br />
They don’t care how old I am. In the US, they just care that I’m over 21.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-xqOPEJzhTxQ/UKINcI97XJI/AAAAAAAAAUs/t9U9vtnmxWs/s1600/us-over-21.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="115" src="http://2.bp.blogspot.com/-xqOPEJzhTxQ/UKINcI97XJI/AAAAAAAAAUs/t9U9vtnmxWs/s320/us-over-21.png" width="320" /></a></div>
<br />
In Australia, they care that I’m over 18.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-MlWUMFb1XUc/UKINh7JOEFI/AAAAAAAAAU0/uH0bvISMAOA/s1600/au-over-18.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="106" src="http://4.bp.blogspot.com/-MlWUMFb1XUc/UKINh7JOEFI/AAAAAAAAAU0/uH0bvISMAOA/s320/au-over-18.png" width="320" /></a></div>
<br />
<div style="text-align: left;">
So...</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-APqD0vnvLi8/UKIN2_3S0eI/AAAAAAAAAU8/ARPWT8yo_Sk/s1600/common-thread.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="38" src="http://4.bp.blogspot.com/-APqD0vnvLi8/UKIN2_3S0eI/AAAAAAAAAU8/ARPWT8yo_Sk/s400/common-thread.png" width="400" /></a></div>
<br />
It's that...<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-Sd89asxNBD0/UKIO3hULdkI/AAAAAAAAAVE/lKD9L7UaRwY/s1600/access-to-things.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-Sd89asxNBD0/UKIO3hULdkI/AAAAAAAAAVE/lKD9L7UaRwY/s1600/access-to-things.png" /></a></div>
<div style="text-align: center;">
...</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-7gasDn_Pcjc/UKIO-MyNUQI/AAAAAAAAAVM/f5QyOPoyviM/s1600/no-matter-who-i-am.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="41" src="http://4.bp.blogspot.com/-7gasDn_Pcjc/UKIO-MyNUQI/AAAAAAAAAVM/f5QyOPoyviM/s400/no-matter-who-i-am.png" width="400" /></a></div>
<div style="text-align: center;">
...</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-3NRFwnTKrPw/UKIPEMyYHuI/AAAAAAAAAVU/eHK9QuRZmqc/s1600/matters-what-i-am.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-3NRFwnTKrPw/UKIPEMyYHuI/AAAAAAAAAVU/eHK9QuRZmqc/s1600/matters-what-i-am.png" /></a></div>
<br />
Identity in the real world is about reputation, context and trust.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-8f5oS3rYbsA/UKIQAY-Ss2I/AAAAAAAAAVc/MtONQ0TTmVI/s1600/identity-reputation-context-trust.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-8f5oS3rYbsA/UKIQAY-Ss2I/AAAAAAAAAVc/MtONQ0TTmVI/s1600/identity-reputation-context-trust.png" /></a></div>
<br />
Reputation can be made up of multiple things which an entity might store about me, but it also has a lot to do with where I’m from and the demographic I fit into. We've all been unfairly stereotyped before. Unfortunately, this is part of the reputation angle. Decisions can be made based on things that are implied about us no matter how unfair or untrue. Context is all about what I’m trying to do or get access to. Trust is about whether the form of identification I’m using (i.e. my credential) is genuine and issued by a reputable, trusted party in the context of what I’m doing and where I’m doing it.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-10ixVeBWfvs/UKIRDmPVwJI/AAAAAAAAAVk/G0lkmvQ7N6I/s1600/assurances-about-access-misuse.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="52" src="http://3.bp.blogspot.com/-10ixVeBWfvs/UKIRDmPVwJI/AAAAAAAAAVk/G0lkmvQ7N6I/s400/assurances-about-access-misuse.png" width="400" /></a></div>
<br />
Once I get past the controls however, I can misuse my legitimate access or in some cases, much worse. Alternatively, someone or something may have stolen my credentials to be able to pose as me. Access control systems have no real way of knowing. That's how many real life crimes and frauds are committed. "Who I am" doesn’t matter. It's not even about the "what I am" anymore. Both of these aspects are irrelevant or useless given the circumstances. With the right access...<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-bfc4tF0FtJo/UKIRxynfu7I/AAAAAAAAAVs/5w5JnRd0WzA/s1600/same-person-i-was-yesterday.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="50" src="http://4.bp.blogspot.com/-bfc4tF0FtJo/UKIRxynfu7I/AAAAAAAAAVs/5w5JnRd0WzA/s400/same-person-i-was-yesterday.png" width="400" /></a></div>
<br />
To account for this, we need a new dimension on top of identity. We need to track behaviour.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-HVhj-fTieC0/UKISJv5r1QI/AAAAAAAAAV0/DW6Vk3ea8uQ/s1600/new-dimension.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="279" src="http://1.bp.blogspot.com/-HVhj-fTieC0/UKISJv5r1QI/AAAAAAAAAV0/DW6Vk3ea8uQ/s320/new-dimension.png" width="320" /></a></div>
<br />
We hear about breaches almost weekly now. There are many others that never get reported. The fact is that they happen all the time.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-sgkTQlSJGvo/UKISdtlqZlI/AAAAAAAAAV8/Jqvn7sQz6Ho/s1600/2012-breach-stats.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="236" src="http://1.bp.blogspot.com/-sgkTQlSJGvo/UKISdtlqZlI/AAAAAAAAAV8/Jqvn7sQz6Ho/s400/2012-breach-stats.png" width="400" /></a></div>
<br />
The key to minimising the fallout if something does happen is the ability to react quickly. You need identity and behavioural analysis to help determine the appropriate steps to take.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/--ZSrtvp-IXs/UKITOEuLQbI/AAAAAAAAAWE/JuusbMzk1hw/s1600/ability-to-react-png.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="51" src="http://1.bp.blogspot.com/--ZSrtvp-IXs/UKITOEuLQbI/AAAAAAAAAWE/JuusbMzk1hw/s400/ability-to-react-png.png" width="400" /></a></div>
<br />
If not, you’re sitting there with the knowledge that something bad is happening but powerless to stop it.<br />
<br />
In the real world, privacy laws prevent measures from going beyond what we deem to be acceptable, but we’re more or less a surveillance society nowadays. Add our online personas and social networking profiles into the mix and never has it been easier to intrude on someone's privacy.<br />
<br />
Take a look at this for a minute (click on the image for the larger version)...<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-UrmKEVz3D8s/UKITa3axipI/AAAAAAAAAWM/PIYX_LQQ0rY/s1600/surveillance-society.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="http://4.bp.blogspot.com/-UrmKEVz3D8s/UKITa3axipI/AAAAAAAAAWM/PIYX_LQQ0rY/s320/surveillance-society.png" width="320" /></a></div>
<br />
Something like what you see here isn’t completely outside of the realm of possibility. We just need a few technologies to get better (facial recognition being the obvious candidate for improvement) and we’re pretty much here (especially with <a href="https://plus.google.com/+projectglass/posts" target="_blank">Google Glasses</a>). Cutting-edge technology aside, let's think about how is this even remotely possible. Give up? It's because...<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-5TNAow0WtQw/UKIUU2PcgFI/AAAAAAAAAWU/6Rl0ndhYlkU/s1600/social-identities-are-scalable.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="56" src="http://2.bp.blogspot.com/-5TNAow0WtQw/UKIUU2PcgFI/AAAAAAAAAWU/6Rl0ndhYlkU/s400/social-identities-are-scalable.png" width="400" /></a></div>
<br />
With an enterprise identity foundation that is scalable, you can absolutely do this from an organisational risk management and threat mitigation standpoint. But how does an enterprise do it? As I've said before, <a href="http://bit.ly/RSnQHQ" target="_blank">Standards and APIs are key</a>. This needs to work hand-in-hand with portable, embeddable, sharable enterprise credentials (identities).<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-vxzXjt9S2mY/UKIUjiQUKBI/AAAAAAAAAWc/S2X07e2GKOI/s1600/required-in-the-enterprise.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="247" src="http://1.bp.blogspot.com/-vxzXjt9S2mY/UKIUjiQUKBI/AAAAAAAAAWc/S2X07e2GKOI/s320/required-in-the-enterprise.png" width="320" /></a></div>
<br />
In the real world, we can't exactly do a lot with regards to the items in red (at least not legally). But all the data within enterprise-owned systems is accessible to allow for this. More on that after this next part.<br />
<br />
I've tried to keep technology to a minimum, but I felt the need to at least summarise the most commonly used standards today and their purposes.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-Y1H0HkMKWuA/UKIZdqeZpII/AAAAAAAAAW4/VztoUGVBYUQ/s1600/identity-standards-landscape.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="200" src="http://4.bp.blogspot.com/-Y1H0HkMKWuA/UKIZdqeZpII/AAAAAAAAAW4/VztoUGVBYUQ/s320/identity-standards-landscape.png" width="320" /></a></div>
<br />
I won't explain what each of these are. You're all capable of looking them up. Some of these will evolve to take on other use cases. Some will cease to be relevant. If I had to bet, my money would be on the standards being used in the consumer space making their way into the enterprise, not the other way around.<br />
<br />
Now, back to the items in red from the previous slide. Let's talk about the behavioural analysis side of things. I’m going to borrow again from the real world; well, almost real.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-qEU-eu6qxyA/UKIZ11zaDoI/AAAAAAAAAXA/UuSv_PdHh1I/s1600/warcraft.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="237" src="http://1.bp.blogspot.com/-qEU-eu6qxyA/UKIZ11zaDoI/AAAAAAAAAXA/UuSv_PdHh1I/s320/warcraft.png" width="320" /></a></div>
<br />
This is a screen shot from the World of Warcraft. Apart from the graphics and virtual world, massively multiplayer online role-playing games (MMORPGs) are built on the foundation of identities. Without identities, we don’t have characters. More accurately, we don't have avatars in the game. When we walk through one of these virtual gaming worlds, we have displays that tell us who an avatar is and their relevant attributes. We make decisions very quickly based on the contextual information available whether the avatar is friend or foe; we decide whether to have them join our guild or zap them with weapons we have at our disposal as per this screen shot. Is this so different to what we should be doing when analysing the things going on in our enterprise environments?<br />
<br />
If you don't remember a thing I've said (written), please remember this...<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-GEfe6_6Fvrg/UKIaTA2kDtI/AAAAAAAAAXI/yRqBhPjMWrg/s1600/identity-in-the-enterprise-must-be.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="160" src="http://4.bp.blogspot.com/-GEfe6_6Fvrg/UKIaTA2kDtI/AAAAAAAAAXI/yRqBhPjMWrg/s320/identity-in-the-enterprise-must-be.png" width="320" /></a></div>
<br />
The fact that I've managed to spell out "SAVE" is completely coincidental, but hopefully it helps us SAVE it to memory.<br />
<div>
<br /></div>
</div>
Ianhttp://www.blogger.com/profile/07620054411151781462noreply@blogger.com0tag:blogger.com,1999:blog-36930068.post-29811579432076014862012-10-23T15:22:00.003+11:002012-10-24T11:48:30.297+11:00Do security like a start-up or get fired - Standards, APIs<div dir="ltr" style="text-align: left;" trbidi="on">
This is part of a blog series. For more details, start with the <a href="http://bit.ly/NgWJEI" target="_blank">intro</a>.<br />
<h2 style="text-align: left;">
Standards & APIs</h2>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-gm5e2x2fnBs/UITpOpUSxFI/AAAAAAAAAQY/sg-X-eddWSU/s1600/jigsaw.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="239" src="http://4.bp.blogspot.com/-gm5e2x2fnBs/UITpOpUSxFI/AAAAAAAAAQY/sg-X-eddWSU/s320/jigsaw.png" width="320" /></a></div>
If you build an application today, you get laughed out of the room if you don't have an Application Programming Interface (API). You also get laughed out of the room occasionally, if you don't use standards where possible.<br />
<br />
In terms of standards, we're talking both industry (open) and internal (proprietary) standards. In the enterprise, it's sometimes acceptable to use a proprietary standard in the absence of a semi-mature industry option because it's the architecturally elegant way to go about things. The point I'm making is, use one. Just make sure there's a standard, published way for teams within the organisation (and externally when required) to hook into common services.<br />
<br />
The proliferation of systems across traditional enterprises that reinvent the wheel instead of reusing existing services is a joke. Unfortunately, this is the norm rather than the exception due to various factors, the most common being that the powers-that-be did not bother architecting, implementing and mandating a centralised, standardised way to reuse core services. Ultimately, this is really about the APIs an organisation makes available. More importantly, APIs have to scale. If not, no one is going to use it, even if it's mandated.<br />
<br />
What the enterprise service bus and services oriented architecture marketing blurbs were promising a few years ago, agile companies are making a reality today. The difference is that they’re not doing it with enterprise web service standards like <a href="http://en.wikipedia.org/wiki/SOAP" target="_blank">SOAP</a>, which is too heavy for many of the use cases today. Everything is about <a href="http://en.wikipedia.org/wiki/Representational_state_transfer" target="_blank">REST</a>. It’s a lighter weight, more natural way of doing things.<br />
<br />
Like with most things in the technology world, the poor cousin of the API world is security. This needs to change. Security is the one thing that MUST be used across all systems. It is also the most difficult aspect to manage if you do not centralise it. Most organisations don't realise this until they have a huge mess, at which point it's too little, too late.<br />
<br />
With the maturing security standards available today, there is no excuse not to bake security into how systems interact and also not to have common security services be centralised. OpenID, OAuth and SCIM are starting to gain real traction as they are REST-friendly and work well enough in the web-enabled world. In an enterprise setting, many organisations are starting to really explore these as options whereas in the past, many would insist on sticking with SAML, XACML and SPML.<br />
<br />
In reality, many look at a hybrid model; instead of mandating a single standard for a use case type (e.g. federated single sign-on), organisations are relying on off-the-shelf software products to provide the range of support for the varying use cases required and using policies to determine the appropriate standard based on context.<br />
<br />
An agile enterprise is built on interoperability, reuse and centralisation of key services. Security is one such service. The moving parts need to be secured and the common security mechanisms need to be centralised and made available to all systems. Standards and APIs are core to being able to deliver on this.<br />
<br />
This brings the "Do security like a start-up or get fired" blog series to a close. If you missed anything along the way, head back to the <a href="http://bit.ly/NgWJEI" target="_blank">start</a> and catch up on the considerations you didn't get a chance to read.</div>
Ianhttp://www.blogger.com/profile/07620054411151781462noreply@blogger.com0tag:blogger.com,1999:blog-36930068.post-75254859641698031342012-10-22T16:35:00.003+11:002012-10-22T16:35:58.276+11:00Confirmed - Sharing your Dropbox files via Facebook makes them public<div dir="ltr" style="text-align: left;" trbidi="on">
Late last month, I wrote a blog post regarding the <a href="http://bit.ly/Scq8AB" target="_blank">sharing of Dropbox files via Facebook and the fact that doing so made your file public</a>. At the time, I didn't have the feature available in my account so couldn't test it.<br />
<br />
I've since managed to test it out and my conclusion was correct. If you share your file with a Facebook Group, you've just made it public. In other words, don't do it for anything other than your public files.<br />
<br />
Read the full post <a href="http://bit.ly/Scq8AB" target="_blank">here</a>. </div>
Ianhttp://www.blogger.com/profile/07620054411151781462noreply@blogger.com0tag:blogger.com,1999:blog-36930068.post-64832453921026959052012-10-17T22:06:00.002+11:002012-11-20T14:49:57.625+11:00Do security like a start-up or get fired - It's just IT<div dir="ltr" style="text-align: left;" trbidi="on">
This is part of a blog series. For more details, start with the <a href="http://bit.ly/NgWJEI" target="_blank">intro</a>.<br />
<h2 style="text-align: left;">
Cloud and BYOD are just IT</h2>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-HVreyIDXJmE/UH6D77qUdVI/AAAAAAAAAQE/q-OlT2dZoDo/s1600/Cloud-BYOD.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="225" src="http://1.bp.blogspot.com/-HVreyIDXJmE/UH6D77qUdVI/AAAAAAAAAQE/q-OlT2dZoDo/s320/Cloud-BYOD.png" width="320" /></a></div>
BYOD of course, stands for "Bring Your Own Device". I've written a few articles about this (<a href="http://bit.ly/GYVQxN" target="_blank">here</a> and <a href="http://bit.ly/Qs6fqK" target="_blank">here</a>) if you're interested in more in-depth content. I'll also be writing a follow-up post to recap my recent series of presentations on the Consumerisation of IT (<i>update - 20 Nov 2012: follow up post is <a href="http://bit.ly/UEqvVw" target="_blank">now available</a></i>). For these reasons, I'll keep this post fairly short.<br />
<br />
Almost everyone I come across is talking or asking about Cloud and BYOD. News outlets can’t help themselves either, because putting Cloud or BYOD in the headline is click bait. An agile company however, doesn’t talk about Cloud or BYOD. It’s called Information Technology.<br />
<br />
Cloud is really just a change in the economic model of how an organisation pays for IT, unless you're still running everything on mainframes. Why? Because the perimeter disappeared some time ago. From a security standpoint, organisations need to focus on one thing: information.<br />
<br />
Protect the information (notice I didn't say data), and you've solved a huge part of the Cloud security issue. This is obviously easier said than done, especially if you don't know where everything is, what information you have and how to protect it. But identifying the problem and learning what to focus on is usually the hardest part. Once you figure out what to focus on, good project management, prioritisation and resource allocation will get you most of the way. Execution gets you the rest of the way.<br />
<br />
Both Cloud and BYOD are simply the compelling events for organisations with their heads in the sand to finally notice that there hasn’t been a security perimeter for quite some time. If you realised that a long time ago and did something about it, you're in a great position to deal with both.<br />
<br />
Going the extra mile with tactical products like Mobile Device Management (MDM) and Mobile Application Management (MAM) should really be an extension of the endpoint management policy you've had in place. MDM and MAM should NOT be the way you deal with BYOD. As mentioned above, I'll expand on this in a <a href="http://bit.ly/UEqvVw" target="_blank">later blog post</a> (<a href="http://zd.net/RvL7zG" target="_blank">here's</a> a sneak peak of what I said, nicely written up by ZDNet). <i>Update - 20 Nov 2012: blog post <a href="http://bit.ly/UEqvVw" target="_blank">now available</a>.</i><br />
<br />
Ultimately, it's all about the information. Figure out where it is. How people get to it. Control access (and understand context).
Know the identities. Have the visibility required to react quickly when
required. This is called having a good security
foundation to build on, with <a href="http://bit.ly/UhcBZZ" target="_blank">identity being at the core</a>. Your organisation becomes more agile and security becomes a lot easier once you've got your foundation in place.<br />
<br />
Don't let Cloud and BYOD intimidate you out of running business as usual if you've been doing it right. If you haven't been doing it properly, consider Cloud and BYOD your kick in the backside.<br />
<br />
Next up - <a href="http://bit.ly/RSnQHQ" target="_blank">Standards & APIs</a>.</div>
Ianhttp://www.blogger.com/profile/07620054411151781462noreply@blogger.com0tag:blogger.com,1999:blog-36930068.post-67943614026689845492012-09-28T01:29:00.002+10:002012-10-22T16:27:40.685+11:00Sharing your Dropbox files via Facebook makes them public<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-9ZkuDU6h8v0/UGRq3CVV0JI/AAAAAAAAAPw/k63iacdXXqs/s1600/fb-dropbox-no.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="313" src="http://2.bp.blogspot.com/-9ZkuDU6h8v0/UGRq3CVV0JI/AAAAAAAAAPw/k63iacdXXqs/s320/fb-dropbox-no.png" width="320" /></a></div>
<a href="http://dropbox.com/" target="_blank">Dropbox</a> just <a href="https://blog.dropbox.com/index.php/share-stuff-from-dropbox-in-your-facebook-groups/" target="_blank">announced</a> a partnership with <a href="http://facebook.com/" target="_blank">Facebook</a> that allows you to share your Dropbox files with fellow Facebook Group members. If you read through the comments on Dropbox's post, the reactions are mixed, with some stating they will stop using Dropbox altogether. Many of the negative reactions look to be due to issues with Facebook's track record and disregard towards privacy.<br />
<br />
<strike>I should qualify this post by pointing out that this feature isn't active in my account yet so I haven't been able to test it. i.e. I could be wrong. Here are my initial thoughts based on what I've read.</strike><i> </i><br />
<br />
<i>Update (22 October 2012): I've tested it and my conclusions are correct.</i><br />
<h2 style="text-align: left;">
Access control </h2>
First of all, the access controls are not sufficiently granular. Access is tied
to a group which means if you post a file, anyone in that
group can read it. There doesn't seem to be an option for more granular control. Sure, you could create more groups
and add the people you want to them. But those of you in the
Identity & Access Management world know what happens when you
constantly add roles/groups within an environment for additional segregation. Pretty soon,
you'll have more groups than friends.<br />
<br />
At least we have some level of access control right? That's what it seems. But alas, not really.<br />
<h2 style="text-align: left;">
Every group member is effectively an administrator</h2>
When you create a group in Facebook, the default setting is to allow any member to add other people to the group. When you create a group, it's not even an option to make the informed decision.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-b9j0vTski3E/UGRYVWuAx8I/AAAAAAAAAO8/pGdRZm4aaSY/s1600/fb-group-create.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="275" src="http://4.bp.blogspot.com/-b9j0vTski3E/UGRYVWuAx8I/AAAAAAAAAO8/pGdRZm4aaSY/s320/fb-group-create.png" width="320" /></a></div>
You can only change this setting after the group has been created (if you actually know about it and can be bothered to go looking).<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-T9-4LpCGOIQ/UGRYer0T_eI/AAAAAAAAAPE/KRlQCcvy0rE/s1600/fb-group-settings.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="277" src="http://2.bp.blogspot.com/-T9-4LpCGOIQ/UGRYer0T_eI/AAAAAAAAAPE/KRlQCcvy0rE/s400/fb-group-settings.png" width="400" /></a></div>
<br />
This seems to be done intentionally by Facebook to "encourage sharing and openness", as they sometimes like to put it. If you understand user behaviour, you'll know that because of this, for almost every single group defined in Facebook, any member is going to be able to add others to the group.<br />
<br />
How is this a problem? The fact that any member within the group can add others means the group is effectively a public forum with the minor hurdle being that you have to convince a member to invite you. It's about as good as saying you're throwing a private party and assuming no one is going to give your address to one of their friends that you didn't explicitly invite. In other words, your file can potentially be seen by other people you never intended to give access to. In posting your file to the group, you are effectively delegating control over the read-only rights on your file to every member of the group.<br />
<br />
None of this actually matters of course, because of the next issue.<br />
<h2 style="text-align: left;">
Security by obscurity</h2>
<strike>Like I said, I haven't been able to test this, but...</strike><br />
<i>Update (22 October 2012): I've tested it and my conclusions are correct.
</i><br />
<br />
Dropbox's own <a href="https://www.dropbox.com/help/383/en" target="_blank">help page</a> for this topic gives us this little bit of genius under the heading "Your links are secure" (<i><b>emphasis</b></i> added by me):<br />
<blockquote class="tr_bq">
"When you share a link, Dropbox creates a unique token used only in that
link. It is <i><b>almost</b></i> impossible to guess the token, but even if someone
was able to, they'd have to know the name of the folder and files the
link points to. <i><b>That said, anyone who can see the link can copy it and
post it elsewhere, such as another website</b></i>." </blockquote>
So
let me get this straight. They've used "almost" to qualify themselves
out of being at fault if someone "leaks" your data and basically said your link isn't really
secure under the heading that states "your links are secure".<br />
<h2 style="text-align: left;">
Conclusion</h2>
I've just taken you through my discovery process upon digging a little deeper. At first, I thought that there was at least a level of access control, albeit very coarse-grained. But by default, every group member is effectively an administrator, hence anyone can grant read permission on files within the group without approval from the owner. So there's actually no access control, merely the appearance that there is.<br />
<br />
But the real kicker is that <b>none of this matters because anyone that has access to the link can use it to gain direct access to the file and forward that link on to the public</b>. The only saving grace is that it doesn't look like anyone has write access on the file other than the owner. <strike>But I haven't been able to test this just yet so who knows.</strike><i> Update (22 October 2012): I've tested it and my conclusions are correct.</i>
<br />
<br />
In short, if you share your file with a Facebook Group, you've just made it public.</div>
Ianhttp://www.blogger.com/profile/07620054411151781462noreply@blogger.com3