19 May 2013
Julian Bond: Chaipuccino is not a thing, no matter what Starbucks may say. If you run a cafe and you have Chai tea...
And Starbucks, no thanks for the Chai Tea Latte. Maybe some people like it, but I reckon that's just wrong as well.
[from: Google+ Posts]
19 May 2013 4:33pm GMT
18 May 2013
One of the first steps taken to protect a system from authentication errors is the determination of its assurance level requirement. That risk assessment process takes as input potential harm and likelihood of harm. This blog post looks at the applicability of the likelihood factor when assessing assurance level requirements for Internet connected systems.
The classic "E-Authentication Guidance for Federal Agencies (OMB-M04-04) [PDF]" defines risk from authentication error as a function of two factors: (a) potential harm or impact and (b) the likelihood of such harm or impact. The categories of harm and impact and how to apply them, per OMB-04-04, can be found in my earlier blog post on HOW-TO Conduct a Risk Assessment to Determine Acceptable Credentials.
The key point to note is that most risk assessment methodologies allow for "tuning" the risk using a "likelihood of harm/impact" factor, which looks something like this:
Risk of Authentication Error = Potential Impact/Harm * Likelihood of Impact/Harm
But how does one determine the "likelihood of harm" number? The two classic approaches are to explore "base rates" or to consult with experts. But there is a gotcha with experts:
The simplest and most intuitive advice we can offer [...] is that when you're trying to gather good information and reality-test your ideas, go talk to an expert. Here's what is less intuitive: Be careful what you ask them. Experts are pretty bad at predictions. But they are great at assessing base rates.Decisive: How to Make Better Choices in Life and Work
So a prediction by an expert may not be all that valuable. But what about the base rates? My concern there is the constantly evolving threat environment that is the Internet, and how base rates that are based on past data are an unreliable predictor of the future.
So my recommendation in this particular case is rather simple. In this type of evaluation set the "likelihood" factor equal to 1. DO NOT discount the likelihood of harm, and ALWAYS assume there is a likelihood of harm:
Risk of Authentication Error = Potential Impact/Harm * 1
What that means is that, if as part of your assurance assessment you need to factor in the impact or harm from an alien invasion, do not discount the likelihood! Stand firm, fully account for it, and put into place compensating controls to mitigate the consequences.
- E-Authentication Guidance for Federal Agencies (OMB-M04-04) [PDF]
- HOW-TO Conduct a Risk Assessment to Determine Acceptable Credentials
These are solely my opinions and do not represent the thoughts, intentions, plans or strategies of any third party, including my employer
18 May 2013 7:00pm GMT
Julian Bond: Something to get lost in. http://electronicexplorations.org/?show=zhou Fairly short and quirky mix of...
"I chose to focus on the less dance floor orientated sounds for this mix and instead tried to compile a selection of tunes that I would want to listen to. It is a mix highlighting some of the music currently coming out of Bristol that I find most exciting as well as tracks that have informed the music we make ...
[from: Google+ Posts]
18 May 2013 10:28am GMT
Today is National Buttermilk Biscuit Day. Biscuits fill me with joy, as do community integrations, so here's a post packed with deliciousness from the amazing people in the Stormpath community. (First, here's an awesome biscuit recipe. Happy Biscuit Day!)
- CAS-Addons, now with Richer Stormpath Support
- Python Login Skeleton for Stormpath
CAS-Addons, now with Richer Stormpath Support
- Top level AuthenticationManager bean definition
- List of handlers with default HttpBased handler and StormpathAuthenticationHandler
- List of principal resolvers with default HTTP principal resolver and StormpathPrincipalResolver (which automatically exposes Stormpath Account data as CAS Principal attributes)
Python Login Skeleton for Stormpath
Brian Peterson just released a simple and very intuitive login skeleton for Stormpath that uses the Stormpath Python SDK. This makes it really (I mean, really) easy for Pythonistas to use and understand Stormpath.
He also did a great job of explaining and diagramming the actions of the SDK. Fork it, play with it, send him (and us!) your suggestions and pull requests. As we roll out the Python SDK update, which will include 2.7 support as well as a simplifying refactor, we'll also be updating this handy tool. Nice work!
18 May 2013 2:19am GMT
17 May 2013
Julian Bond: Shock horror. Festivals are expensive and only middle aged, middle class people can afford it.
Which explains how white, middle aged and middle class, Glastonbury can appear to be. (sez, the balding old git).
FACT is the UK's best online music magazine and home to the weekly FACT mix series.
[from: Google+ Posts]
17 May 2013 5:53pm GMT
Access Risk Management Blog | Courion
Securing an enterprise is no mean feat and is made more difficult by the rapidly expanding use of software in the Cloud. Although security is often cited as a concern with a move to the Cloud, what may not be fully appreciated is how cloud computing amplifies the existing risks of how to best manage millions, if not billions of identity and access relationships.
Check out this article by Kurt Johnson, Courion VP of Strategy and Corporate Development, to learn about the need for real-time access intelligence to manage the risk of improper access to systems and resources that span the enterprise and the Cloud, as well as how organizations can reduce risks before they become bona fide breaches.
Click here to read the full story.
17 May 2013 1:16pm GMT
Students from a range of educational institutions now have the ability to confirm, through WAYF, their student status with Mecenat, thereby obtaining access to purchasing discounted items from Mecenat's business partners. Educational institutions with an interest can get further information from Lasse Urth of Mecenat (phone +45 2851 2171).
17 May 2013 11:55am GMT
People employed at institutions using e-recruitment solutions from peopleXS now have the ability to log into the peopleXS online service using their institutional login, through WAYF. In case of interest, contact peopleXS for further information.
17 May 2013 11:46am GMT
The major concern beeing: "Why isn't this going straight to a standards body?"
This is what standardization bodies working groups are for. Work on protocols and formats. Work on security considerations. Use the experience of "the community".
The FIDO authentication protocol needs to be part of a standardized, interoperable ecosystem to be successful. Building this ecosystem requires the active commitment of everybody from hardware chipset vendors, to the manufacturers of back-end server systems. Coordination across the divergent interests of these players is a complex affair, and one that current technical standards bodies are not well suited to handle.
The FIDO Alliance will refine the protocol, and monitor the extensions required to meet market needs and to make the protocol robust and mature. Implementation will not be undertaken by the FIDO Alliance. The mature protocol will be presented to the IETF, W3C or similar body after which it will be open to all industry players to implement.
So FIDO is developing a protocol and will then present it to one standardization body...
Meanwhile it is a closed thing and it costs relevant amounts of money to join the alliance.
This neither free nor open.
During IIW there were several sessions on FIDO (1, 2). Each full of good intentions and marketing speek but no substance. No real information. You have to join the alliance to get that. Well, ...
Somebody at Nok Nok Labs convinced somebody at Paypal to hire them and found FIDO. Why Google joined despite Google's support for the W3C WebCrypto group I have no idea.
The W3C WebCrypto group is were this belongs. This might need rechartering of the group. But that is doable. Especially if the proposal is backed by a prototype implementation. Especially if it is backed by by Paypal, Lenovo, Google, Nxp and others.
I believe that we need better authentication methods beyond username and password. I think that bring your own (hardware) identiy might work to that goal. I believe that mobile phones, and SIM cards and NFC help to achieve this. I believe that the mobile wallet is the right user interface to choose your identity.
I believe that doing it in a closed group is not the right way.
17 May 2013 9:34am GMT
The wrestling match is covered in my earlier post.
Let me insert my favorite punch line before I mention the best practices.
Authentication is finite while Authorization is infinite.
Best practices for access control:
1. Know that you will need access control/authorization.
2. Externalize the access control policy processing
3. Understand the difference between coarse grained and fine grained authorization
4. Design for coarse grained authorization but keep the design flexible for fine grained authorization
5. Know the difference between Access Control Lists and Access Control standards
|Fig: Typical XACML Fine Grained Access Control Architecture|
6. Adopt Rule Based Access Control : view Access Control as Rules and Attributes
7. Adopt REST Style Architecture when your situation demands scale and thus REST authorization standards
With the growing demand for web based services and APIs and the proliferation of mobile devices in the world, it has become essential to incorporate REST style architecture to your system design.
It is essential for you to use OAuth2 standard for REST authorization. While OAuth2 takes care of defining the tokens and some rules for authorization (scope of authorization and actor/resource), it may still be essential for system architects to incorporate fine grained authorization. Certainly give a look at the REST Profile of XACML v3. There is also JSON binding available.
8. Understand the difference between Enforcement versus Entitlement model
Prominent access control strategies and standards involve the Enforcement model. The access control system is trying to enforce access to a resource. This leads to a Yes/No type question. The enforcement model does not scale in a cloud or a resource constrained environment.
Entitlement model is where in the access control system does not perform enforcement or access checks. Rather it answers questions such as "What permissions does this user have?". The question seeker will then use the returned answer to perform local enforcement.
|Cloud Enforcement vs Entitlement Model|
17 May 2013 5:35am GMT
16 May 2013
The 2013 edition of the European Identity & Cloud Conference just finished. As always KuppingerCole Analysts has created a great industry conference and I am glad I was part of it this year. To relive the conference you can search for the tag #EIC13 on Twitter. KuppingerCole manages each time to get all the Identity [...]
16 May 2013 7:19pm GMT
This morning, I was read a recent Oracle White Paper entitled, "Transforming Customer Experience: The Convergence of Social, Mobile and Business Process Management." It gave interesting perspective on the blending of emerging paradigms - mobile and social - with the older discipline of Business Process Management. To stay ahead in today's rapidly changing business [...]
16 May 2013 5:15pm GMT
Julian Bond: Realists have no idea how they ended up living on this once hospitable planet with all these fools
This is the third and final day of my spring fundraiser. If you value this website, consider making a donation via the Donate (Paypal) button on this page, or by sending a check or money order to the PO Box I gave you in Tueday's post. Thanks â€" Dave [Tony Judt's book Ill Fares the Land] has a touch of prophecy in the authentic sense of that term. Prophecy is not about foretelling the future; it is about warning those in the present that unless th...
[from: Google+ Posts]
16 May 2013 3:49pm GMT
Julian Bond: 16 May (tonight), MS Stubnitz, Canary Wharf, London for some Real time, Algorithmically Generated Techno...
Time to dust off the Music Tech dissertation and rhythm generator using Markoff Chains in the time domain.
When: 7pm-11:30pm, Thursday 16 May 2013 Where: MS Stubnitz, Montgomery Street, Canary Wharf tube, London E14 9SB Tax: £9 advance tickets (or plenty on the door for £10) We're back on-board the MS S...
[from: Google+ Posts]
16 May 2013 6:42am GMT
15 May 2013
Today I read a year-old document published by Gartner, entitled, "The Nexus of Forces: Social, Mobile, Cloud and Information." It explains the interaction among these market forces better than any single document I have read: Research over the past several years has identified the independent evolution of four powerful forces: social, mobile, cloud and information. [...]
15 May 2013 10:58pm GMT
Gluu: How & Why Gluu’s open source authorization and authentication platform was chosen by Toshiba for new Cloud TV.
Today, services like authorization and authentication are delivered via APIs: JSON / REST HTTP "endpoints." Some of the most popular authentication API's on the Internet are using different profiles of OAuth2. Because consolidation increases efficiency, Google, Microsoft, Yahoo, and others … Read more >>
15 May 2013 9:33pm GMT