European Identity Conference Munich

This week the 2009 version of the European Identity Conference will be held in Munich, Germany. I will be attending the conference and give a presentation in the Cloud Computing side track on thursday afternoon. I hope to get a lot of responses to the claims based access control (cbac) ideas and to the trusted identity provider solutions. More information on the idconf site.

myOneLogin ad

I just read one big ad (dressed as an article) for the myOneLogin service. It is some kind of identity broker, directed at enterprises and SMB's, facilitating single sign-on for cloud applications. It's a $3/month per user service that might replace the use of OpenID for enterprises users. It also addresses strong authentication needs and can cope with SAML.

Anyway: this has got nothing to do with identity 2.0. It's not the end user that is in control of his identity. This may be fine for enterprise use, but why would a company pay fot sso in the cloud? Enterprise sso (esso) may be considered a security measure (it makes sharing accounts by end users difficult). And if you employed esso, cloud apps should be handled as well.

I'm a little bit concerned about such developments. The problem with services like this (as wel as with OpenID) is that a central authority gets to know my whereabouts. Can these authorities be trusted? How about international regulations? Any clue? How do they handle logging and log analysis? Or log retention (I hope Not).

I'm happy with this kind of development, because it propagates the use of open standards like SAML.

Still, not for me, though. I prefer an internal esso and besides, the password store in firefox and ie is capable enough. It is great, however, that using sso you are into green computing, in pandemic planning and fuel conservation and thus protecting the environment. I don't know how, but it's in their About statement (at least in today's version) :)

European Identity Conference

Just a short update:
from 5th till the 7th of may I will attend the European Identity Conference in Munich. I will be presenting a few thoughts about Access Control in the Cloud, covering Claims Based Access Control and Identity Provisioning (in the fog...). My talk will follow Martin Kuppinger's in Stuart Boardman's forum. I'm looking forward to meeting lots of experts in the field.
Munich, twice within a year: last year I presented a similar story at The Open Group's architecture practitioners conference. I like this city :)

Let's review too

Mike jones reported the availability of the Identity Metasystem Interoperability Version 1.0. This looks good news to me, progress being made, so all hands on deck for reviewing.

Behavior centric identity management

What's the problem with people knowing my identity attributes, my personal data? Okay, not all data are public, but why should I hide my identity? What personal data should I protect?

I have been thinking about this privacy thing a lot lately. Partly because we have to protect privacy stuff by law. But we protect all information, you might say that all privacy data are protected implicitly if we live by our security policy, right?

The reasoning behind my thoughts is that there are several initiatives to use authentication services like OpenID. And I hesitate. And you know, the problem is that I want to keep my behavior private. That's it, I don't mind third parties knowing me, or part of me, but what I do, that's my business. What I do may lead to some status change of my identity, and that may be publicly known, but my behavior is mine.

We have been exploring some identity aspects and perhaps that we will be able to classify security requirements based on identity aspects.
We learned about Identity DNA, fixed attributes, like name, sexe, date of birth, even Social Security Number. The data elements will (almost) never change. It is so fixed, that it is even public, so why protect the confidentiality aspect?
Next you might talk about Identity Status, information that will change. Like an address, phone number, relationships (even commercial relations, like "customer of", the data that is to be protected because of privacy laws?). Protecting confidentiality might not be needed for all identities by default, but it may be economic to do so.
And then there must be something like Identity Behavior. This must be the most sensitive part of identity data. This is the knowledge part. That's why voting machines are no go right now. That's why financial and medical information are valuable. I want to protect this information. I don't care about my identity DNA, can't change that, but the acts of my identity are personal. Publishing my identity status is my responsibility (I can move, or not, get a new job or not), it's public within the context of my identity, but what I do whit it is my business.

So much for now, perhaps this is way to academic. But at least I got it off my chest.

Community effort

I just like to point to the ibpedia.nl community project, that aims to be a research portal for information security professionals.
The project was started by a few Dutch enthusiasts, who (in vain) tried to use wikipedia for knowledge sharing. Due to the fact that a lot of knowledge was still in research phase, wikipedia could not host the items, so a new wiki was started.

ibpedia got its name form the ib abbreviation: Informatie Beveiliging, Information Security for those who are not familiar with the Dutch language. But, there's also a lot of content in English.

The content of ibpedia is published under a creative commons license, so free to share and add to. Don't hesitate to join the community.

Results from Ian's identity Management survey

Ian Yip posted the results from his earlier survey. Lots of interesting pictures and I am curious about any further analysis.
You can find the results over here.