Recently in Security Category

What a conference! In case you missed it, I've blogged about RSA all week long:

• Day 1 -- Kantara, identity, cloud computing
• Day 2 part 1 -- Cloud computing and identity
• Day 2 part 2 -- Authentication, identity, and cloud computing
• Day 3 -- Authentication
• Day 4 -- Identity, authentication, and PKI

Like last year, I finished the conference by attending Richard Howard's talk on cyber threats and trends.  Howard is the director of the iDefense Lab.  In his talks, he lays out new security disruptors that will drastically change the information security landscape over the next 5 to 10 years.  He warned of the following disruptors last year and this:

2009	2010
Cyber terrorism Mobile threats IPv6 Arbitrary TLDs and multilingual URLs Virtual worlds	Shift in attacks to government targets (i.e., cyber terrorism) Smart phones (i.e., mobile threats) Cloud computing

Then, I went to a talk on cross-domain identity and access control presented by Tom Winnenberg, principal security engineer at Raytheon.  In it, he talked about federation and centralized authorization using XACML.  Centralized authorization, especially using XACML, is something I heard a lot about during the week actually.  Last year, that protocol was only mentioned once in a presentation given by Sun and Burton.  This year, I heard about it in a half dozen different sessions, a couple vendors on the show floor, and one other conference goer that I talked with. I think people are starting to wrap their heads around centralized authentication, and are now beginning to wonder about how to also centralize authorization.  So I think the attention paid to XACML will increase this year, especially if Microsoft begins supporting it their products (which won't happen in 2010).

All in all, it was a great show.  If you missed it, I would certainly recommend that check out those blog posts I listed above and try to attend next year if you can.

Cloud computing, virtualization, cyber-crime, and compliance were predicted to be the big themes of RSA.  After four days, I've been to about 20 sessions in 7 tracks, 7 keynotes, and heard from more than 30 corporate representatives from a half dozen industries.  Cloud computing has certainly come up, but almost exclusively in the keynotes.  It seems that the conference organizers want to talk about it, but the information security community has other things on its mind.  What have been the themes I've heard after attending all these sessions?  Identity and as corollaries to that authentication (as I said last night) and PKI.

I heard from Joshua Powers, CTO of Securboration and formerly of the US Air Force.  He talked about the difficulty of modeling identities and how semantic Web technologies can be used to create graphs to represent identities more effectively.  Then I heard from G&D and EISST about how they have been working to harder Web browsers and ensure that they haven't been patched by malware.  They called this technique Dynamic Application Authentication (DAA), and they used PKI and smart cards to do it. 

Then I attended a panel discussion chaired by a representative from Adobe which included a registrar in higher ed, a lawyer, and an auditor.  They talked about how there is a resurgence of interest in PKI.  Unlike ten years ago, they said, this new buzz is coming from business and not from crypto geeks going on and on about Alice, Bob, and Eve.  The result is a market pull rather than a push as was the case a decade ago.  The fundamental reason they said was because businesses of the twenty-first century are information companies.  Data doesn't remain neatly within the silos we've created in our organization -- it flows across them.  In order to comply with regulations, avoid leakages, and use data to provide customers with value, companies have to find a way to secure it.  PKI is an increasing way in which they're doing so, the panelist said.  They sited a number of examples:

• Verification of hundred year old legal contracts
  
• Digitally signing transcripts
  
• Federation
  
• Verifying the identity of doctors
  

All of these examples come down to authenticating the identity of different entities. 

BTW, when the layer, Randy Sabett, was asked by a Brazilian audience member about when America would get a national ID system like his country's, Sabett said it was a "long way off."  In light of this, perhaps my predication last night was a bit naive :-)

The last session I attended today was a P2P discussion about Identity Management (IdM).  The group was made up of folks reporting to CIOs, CSOs, and CTOs.  They talked about the huge disarray that their organizations are in with regard to identity.  From the sound of it, it seemed that their IdM systems were not working very well for them.

So cloud computing is important, but it seems that the information security community thinks identity, authentication, and PKI are more important.  Have you been hearing other things at the conference?  Are other issues more important to your organization than these?  Are these issues hot topics for you company as well?  I'd love to hear about it.  Leave a comment below or shoot me a note.  I've got one more day here at RSA, so keep an eye on my Twitter stream for real-time updates and check back tomorrow for my final post.

I can't believe it's only day three! It already feels like day 10. Today, I attended sessions presented by representatives from the Brazilian banking industry, Yahoo!, Google, Cisco, Bank of America, Qualys, and the US government.  There was a red threads that wove through all of these speakers' words that really caught my ear.  It was a topic I also heard while speaking with a German exhibitor on the show floor and other conference goers who I ate lunch with.  Any guesses as to what it was? Readers of my blog, especially those familiar with this year's theme for RSA, will certainly think it was cloud computing.  It wasn't though.  It was authentication.

The Brazilian banking representatives who worked for the first and eighth largest financial institutions spoke about the PKI that Brazil has recently launched.  The root of this trust hierarchy is the government itself.  When citizens are born, their fingerprints are taken at birth and placed in a government database.  At some later point, they are issued national identity cards.  Their fingerprints are encoded on the smart card of the ID and signed by the Brazilian root CA. 

Banks in Brazil apply to be intermediate CAs under the government's root.  When a citizen comes to one of them for a bank account, they must present their national ID card.  With this, they can authenticate the person using the biometric data on the card, the person's finger, and the signature of the root CA.  There are surely many factors that have led to the adoption of this technology in Brazil, but one is no doubt the scale of crime confronting the country.

Richard Clarke, Chairman of Good Harbor Consulting, asked rhetorically in his keynote, if America must get to similar level of crisis before taking more drastic measure to protect its citizens online.  An American gentleman that I had lunch with (who's name I unfortunately did not get) said that he wants a national ID, in order to protect his privacy.  He argued that by being able to positively identify himself using such an ID, he could avoid intrusive searches in cases where the government suspects him of crimes perpetrated by someone that looks like him.  While searching his computer, house, car, etc. to determine who he really is, the government may find things that are actually illegal.  Once they are convinced he is not the suspect they originally believed him to, they would then have the evidence necessary to convict him of other crimes.  Authentication initially would have prevented this, he argued.

Google, Yahoo!, B of A, and Cisco talked about how phishing is bombarding their users, and preventing the banks from using that channel to communicate to the full extent desired.  Due to a lack of authentication, email can not be trusted to deliver more value to customers.  In fact, the phishing attacks are discrediting the financial institution's brand and reputation, B of A said.  The solution the Web mail providers are employing is the same one the Brazilian banks are using to guard the online banking and ATM channels: PKI.  Unlike the South American organizations, however, Google and Yahoo! are not authenticating the end users; rather, they are only, initially, verifying the identity of the servers which are sending them email.  Email from unauthenticated servers are scrutinized more intensly than those from authenticated senders.

In her keynote, Secretary of the Department of Homeland Security, Janet Napolitano, said that what is needed is "privacy enhancing authentication."  CEO of Qualys, Philippe Courtot, said that it is the job of security professionals to "verify and to be on the lookout."  Bruno Quint of CORISECIO, a Germany service provider in the telco industry, told me about how his company is providing 2+ factor authentication using a national PKI (like Brazil's but without biometry) combined with Information Cards on on mobile devices to provide strong authentication that is easy to use.

From all of this, I will go out on a limb and make the following predictions about authentication:

• America will inevitably role out a national ID card that uses PKI; it will not use biometry at first.
• The creation of this PKI will be lobbied for by the financial industry.
• It will be rolled out in 10 years or less.
• It will eventually be used to securely authenticate online banking, e-commerce, voting, and other applications.

Disagree?  Have other predictions?  Share your opinion in a comment below or let me know.  Also, be sure to check back tomorrow for a summary of day 4 and watch my Twitter stream for live updates.

This year, I'm attending my second consecutive RSA Conference. Just like last year's show, I will be blogging about each day's happenings.  Today, I started things off by attending the day-long Kantara workshop. Like I mentioned last year, Kantara is a grassroots effort to bring together the OpenID, Information Card, and SAML communities to find a way to provide digital identity solutions in both the enterprise and consumer space.

During the workshop, various folks from CA, Google, PayPal, MEDecisions, NTT, Ping Identity, et al. spoke about what the group has been doing since its kick off last year at RSA.  Trent Adams, of the Internet Society, started by explaining what Kantara is, ways to get involved, etc.  Four important things that he said were:

• Any individual can become a participant for free and become a voting member for a nominal fee (~$100/year) -- more for companies
• Kantara is not a standards body but an incubator for them
• The User-Managed Access (UMA) working group, chaired by Eve Maler of PayPal, is the most active of all groups
• Kantara has been granted provisional status by the US government as a Trust Framework Provider (or something) that basically means that Uncle Sam thinks they're doing pretty important stuff ;-)

Andrew Nash of PayPal spoke next about how we as an industry are a couple billionths of a second after the "big bang" of identity, meaning we are on the absolute forefront of creating an identity metasystem for the Internet.  Given its early days, it's helpful to use the framework presented by Matthew Gardiner of CA to see what initial identity-related capabilities are needed to enable cloud computing:



By these labels, Gardiner means thus:

• Enterprise to Cloud Providers - Needs of enterprises who are trying to leverage SaaS or cloud services
• For Cloud Providers - Needs of cloud/SaaS providers themselves
• Cloud Providers for Enterprise - Needs of cloud/SaaS providers who are targeting large enterprises
  

As a market researcher, I would be jazzed to know that this industry leader believes that what big businesses who are trying to adopt cloud computing need right now is data loss prevention, user authentication and federation, and log management services. Good time to be an aspiring entrepreneur who knows a bit about cloud computing, SAML, WS-Trust, and WS-Federation :-)

Paul Madsen (@paulmadsen), of NTT, then explained about what's been happening in the identity space with regard to the various specs and protocols. He said that most of the work these days is on creating new profiles for the various protocols (e.g., the XSPA profiles for WS-Trust, SAML, etc.).  He also mentioned OAuth WRAP which Eric Sachs of Google also talked about.  Not surprisingly Sachs was very positive about it, but so was Madsen.  It was notable to me because I got the impression that the community was in a tissy about WRAP, but those of the community that I heard from today weren't.  I caught up with Sachs on the exhibition floor and we chatted over a messy sandwich about how WRAP's purpose was to make OAuth simple to implement.  I've never tried, but Sachs said that OAuth is just too difficult for many developers to do right.

Also in the exhibitor hall, I met up with Sridhar Muppidi and Craig Forster of IBM. This architect and engineer told me about how their STS, which is a part of Tivoli Security Policy Manager (TSPM), has implemented the XSPA profile. Muppidi also said that their STS conforms to WS-Trust 1.3 but that 1.4 is on their road map.  He said that most of their customers are still using 1.2, so 1.3 is still relatively new and that customers aren't even thinking about 1.4 yet.  When they do implement the new versions though, he said that they intend to support not only ActAs but also the new challenge and response stuff.  Awesome!  They do challenge/response now in their STS in a proprietary way, Muppidi went on to say.  What they do is fault and include a subcode and info about the challenge that the user needs to answer to continue the token issuance process.

There's more I could say.  Unfortunately, I left my time stopper and a person replicator at home though, so I have to leave it here for now.  You can get all the slides from all the presentation from my stash.  If you have questions about anything I've written, add a comment below or get in touch with me.  Also, if you're at RSA and want to hook up, call, text, or DM/mention me on Twitter.

I got a message from Sidar Ok on Twitter the other day asking about the pros and cons of Windows Identity Foundation (WIF).  I put together the following list when replying to him, but wanted to share it with the community as well

Pros

• Makes it much simpler to implement an STS then it is with just .NET and WCF
• Unified programming model across multiple platforms including WCF and ASP.NET
• Support for WS-Trust
• Support for WS-Federation
• Support for SAML 1.1 and 2 tokens
• Large amount of docs, books, mags, blogs, docs and community relative to its age
• Good tool support (e.g., Visual Studio and and FedUtil)

Cons

• No support for SAML 1.1 or 2 protocols
• Can't be installed on Windows XP
• Unpolished support for other platforms (e.g, Silverlight, ASP.NET MVC, etc.)
  

Did I miss any?  Do you disagree?  Which of those benefits are the most compelling to you and your company?  Which of those drawbacks are the biggest hindrances to your adoption?  Let me know in a comment below or get in touch with me directly.