Recently in Cloud Computing Category

The final day of the Cloud Identity Summit was great. I missed Andrew Nash and Chuck Mortimore unfortunately, but I did get a chance to hear John Shewchuk talk about what he and his colleagues at Microsoft think identity may look like in 2020. In his talk, he listed some requirements to achieve the sort of identity-related scenarios they are envisioning for the next 10 years. Here's a summary:

1. Support for rich identities
2. Existence of a multifaceted federated profiles
3. Flexible authentication that includes new factors (e.g., visual, voice, etc.)
   
4. Flexible access control

With these, we may see, Shewchuk said, things like TVs that can recognize that a family is watching and recommend shows that are appropriate and preferred by both the parents and the children. When the kids go to bed, the TV will see that they are gone, and suggest shows that include more mature content.

This sounds very exciting, but this sort of technology has a lot of other applications that are not as exciting to me. The possibility of marketers using this rich identity data and profile information to target our society with tailored messages could radically alter our culture. Me and my colleague, Andy Phenix, talked about this in great depth on the way down the mountain. It was a thought provoking and stimulating conversation that was a great conclusion to the week-long identity dialogue.

Thanks to the sponsors, organizers, and, most of all, to the other attendees that made it such a wonderful time!

Day 2 of the Cloud Identity Summit kicked off w/ Ping Identity's CEO, Andre Durand, discussing the importance of identity and the need for us to come together as a community to discuss it in the context of cloud computing (similarly to what other thought leaders said at RSA). He handed it off to Gunnar Peterson who said that there are four fundamental technologies necessary to enable broad adoption of cloud computing:

• Security Token Services (STSs),
• Policy Enforcement Points (PEPs) and Policy Decision Points (PDPs),
• Gateways, and
  
• Monitoring.

I totally agree that STSs are a core component of this new architecture. They will one day be on par w/ DNS, DHCP and other infrastructure services that enterprises need to operate. While this technology helps answer the first fundamental question of who you are, it doesn't address the question that we're actually interesting in knowing the answer to: what are you allowed to do? This is where the PEPs and PDPs come in, and I completely agree that these are critical to the adoption of cloud computing.

Eve Maler picked up on this theme in her talk on User Managed Access (UMA), a protocol for authorization that's being incubated by Kantara. In addition to birthing new standards, this organization, Pamela Dingle explained after Maler's talk, is also a Trust Framework Provider (TFP). This and similar organizations are essentially abstractions around IdPs. The US Government is defining profiles of certain protocols (e.g., Info Card, OpenID, etc.), and stipulating that TFPs must ensure that all IdPs that they vouch for conform to these profiles. (I imagine that attribute contracts are also specified, but I don't recall Dingle saying that.) The output of these TFPs is metadata which is analogous to a Certificate Revocation List (CRL) in PKI. Because the "CRL" can be traced from the TFPs back up to the US Government, RPs can pick and choose IdPs willy nilly knowing that they are all reputable and capable of asserting someone's identity.

This abstraction would have come in handy during Lee Hammond's talk that he did w/ Brian Kissel. In it, Hammond spoke about how his record label is using Janrain's Engage product (formerly RPX) to shield his Web apps from the assortment of protocols supported by the IdPs he relies on. Using Janrain's identity protocol mediation service, music fans are able to seamlessly login once to the Web sites of multiple musicians on his label. During his presentation, Hammond didn't want to give a live demo because Twitter was giving him a fail whale earlier in the day. If his protocol aggregator depended on the TFP instead of the actual IdP (Twitter in this case), it may actually (e.g., if Hammond configured it to do so), fail over to some other comparable IdP.

There were a lot of other great things discussed during the day. If you want to know more, drop me a line. Also, be sure to check back here tomorrow for the final report on what's happening in the cloud identity community. It's exciting stuff!

Today was the first day of the Cloud Identity Summit in Keystone, Colorado. The quality of the workshops and value of the interaction with other industry experts was only outdone by the breathtaking views of the mountains surrounding the conference hall. To give you a small idea of what it was like, here are some highlights from Gerry Gebel's workshop on XACML:

• Version 3 of the spec will probably be released by the end of this year.
• The new delegation model makes XACML especially pertinent to SaaS providers.
• Gerry and Doron Grinstein, the CEO of BiTKOO, did not know of any production installations that use a PEP from one vendor and a PDP from another.
• There's a new profile looming called the XACML Intellectual Control Profile (IPC) which is being shepherded through OASIS by Boeing.
• BiTKOO is on the verge of open sourcing a PDP and a PEP. (No details given.)
• Gerry didn't think the XACML technical committee was interested in defining the transport mechanism used by the different actors in the architecture, and everyone in the room seemed (from what I could sense) that the spec had limited value until they did.
• Patrick Harding, CTO of Ping Identity, thought that the standardization of the client-side API used in PEPs would help speed adoption as was the case w/ LDAP.

If you're interested in other things that were said, ask in a comment below or let me know. Be sure to keep an eye on my Twitter stream for more updates, and check back tomorrow for day two.

The keynotes this year at RSA were really good. The same guys that spoke last year spoke again this year:

• Art Coviello, Executive Vice President of EMC Corp. and President of RSA, The Security Division of EMC
• Scott Charney, Corporate Vice President for Trustworthy Computing, Microsoft Corp.
• Enrique Salem, President and CEO, Symantec Corp.
  

The theme repeated over and over and over again in the address of all three was cloud computing. They said that cloud computing represents both a challenge and an opportunity.  As others said yesterday, cloud computing is a chance for the information security industry to redo the IT infrastructure with security at its core.  Even more so than last year, these men stressed the inevitability of cloud computing's adoption and Coviello said its transformative impact on society and business will be like that of the Internet itself.  It wasn't that they were crying uncle; it was more like they were saying if we (the information security community) can't deter them, let's lead them.  To this end, Coviello laid out a strategy for businesses:

1. Begin moving non-critical services to the cloud
2. Move critical business applications to the cloud
3. Build internal clouds
4. Combine your internal and external cloud infrastructures to create a hybrid cloud

In making that first step, he advised attendees to ensure that SaaS providers are able to address GRC, SLA, policy, identity, and multitenancy needs (the last being the hardest he said).  Through these, the cloud goes from being a nebulous black box to a transparent one:



Which seems like something your business wants to invest in? Startups looking to attract enterprise customers and acquisition should ensure that their offerings are like the later, something that I imagine will be hard for many of them due to a lack of experience working in and with large enterprises.

Coviello closed with a helpful analogy in which he compared cloud computing to the finical system.  Initially, we traded chickens for grain; then we used coins; then we "virtualized" our finances and began using paper money -- an act that places trust on the issuer of the notes; then, we created stocks and bonds to allow us to distribute wealth in a more "elastic" manner.

To make this happen, Charney picked up after him, identity is going to be a fundamental obstacle that we must overcome.  Including wording on his slides, Charney said identity over 25 times in his short address.  Microsoft, all the other speakers, and myself believe that identity is key in the adoption of cloud computing which is the future of all organizations.  To this end, Microsoft just released a public beta of U-Prove, a technology that is built on top of WIF, ADFS, and CardSpace; it provides the least amount of information necessary to conducting one's business online in the cloud.  I've had early access to an alpha of this software and talked to Christian Paquin, one of its creators, last year at RSA.  It is a really compeling technology and the release of the public beta, free use of its crypto, and open source reference code is an important step in overcome the identity barrier.

There's a lot more to see and here today, so I'll post again this evening if I have time.  Keep an eye on my Twitter stream for real-time updates and drop me a line if you have any questions/comments about the keynotes or U-Prove.

I learned a lot today during day two of the RSA Conference.  A lot of it was from one-on-one conversations I had with helpful, inspiring gentlemen, but I also learned a lot from the keynotes, panel discussions, and sessions that I attended.  There was too much to go into it all here, but there was one red thread that I heard over and over today.  It was a theme I did not expected to be so dominant and so positive at a conference full of security buffs, C-level execs, and enterprise architects: cloud computing represents a tremendous opportunity that is there for the taking.

I heard it described today by one panelist as the technology of the gods.  The president of RSA, Art Coviello, said in his keynote that cloud computing is bringing our society to a tipping point.  After teetering over it, humankind will be complexly revolutionized.  This sentiment was echoed by Microsoft's Scott Charney.  Symantec's CEO, Enrique Salem, said that the interfaces of some cloud-based software that will be implemented by many different vendors should be standardized in a collaborative, open manner.  During a panel discussion that included some of the world's leading cryptographers (Whitfield Diffie, Martin Hellman, Ronald Rivest, Bruce Schneier, and Adi Shamir), two of the five said that cloud computing is one of the most compelling and interesting areas that is occupying a large part of their time, research, and thoughts. Another panel included Eva Chen, co-founder of TrendMicro, who's been in the security industry for 21 years and said that cloud computing is the most interesting development that she has ever seen. The co-founder of America's Growth Capital investment banking group said that the SaaS market is currently 1.3B in size and is growing by 17% annually according to an IDC study recently published.  Kim Cameron said that the claims-based model would help support the need to identify users both in the cloud and on-prem. 

Some at the conference are voicing their counter views, however.  I've heard some say that they are board with cloud computing as it's just the resurgence of the mainframe.  Others have said that cloud computing coupled with SSO increases a user's attack surfaces tremendously should they happen to get infect by a virus that uses SSO to connect to remote cloud services to perform unbeknownst and undesired operations as them.  Some participants have said during open mic sessions that they would never store their data in the cloud.

In every keynote, panel, and session, cloud computing came up and usually with a positive tone.