09 Nov 2011

feedPlanet Identity

Rakesh Radhakrishnan - Sun: Thoughts on Token Technology Trends- No: 28

Another influencer of the posture token (in terms of periphery token) is the RFID tokens or tags (in conjunction with USN tokens and NFC tokens).

09 Nov 2011 2:02am GMT

Rakesh Radhakrishnan - Sun: Thoughts on Token Technology Trends- No: 27

Another such periphery token that can increase or decrease the integrity representing posture token is a USB token. Non-provisioned adhoc USB tokens generated will basically reduce the posture tokens attribute value representations. However since these USB tokens themselves can be used as (a pre provisioned initiating vector) secure storage of certificate/PKI, SIM, and other soft tokens - they can be added to the client device overall to increase the posture tokens attribute values.

09 Nov 2011 1:59am GMT

Rakesh Radhakrishnan - Sun: Thoughts on Token Technology Trends- No: 26

Related to Posture Tokens that act as a runtime representation of validated and verified integrity attributes about a device and its connection, the contiguity and continuity of the integrity posture is not a given. Depending on the context and use case (application) the device is running the posture token will be re-aligned. Influencers of such posture tokens about lets say a mobile device are additional periphery contexts also represented by tokens. One such token is an NFC token.

09 Nov 2011 1:53am GMT

08 Nov 2011

feedPlanet Identity

Rakesh Radhakrishnan - Sun: Thoughts on Token Technology Trends- No: 25

In conjunction with external entity posture (such as client devices) the perimeter PDP can also produce a Network Threat Level Posture token - based on current Threats that are active. Trendmicro like systems generate such threat level tokens - it can range from the access networks a perimeter network connects to (such as a mobile network), the enterprise network and the SP network (cloud SP). These types of tokens adds another layer of Intelligence to measuring an Integrity Level of an end to end Client to Service Connection.

08 Nov 2011 11:21pm GMT

Rakesh Radhakrishnan - Sun: Thoughts on Token Technology Trends- No: 24

Ultimately leveraging the path and packet tokenization and protocol and port tokenization - a comprehensive Perimeter PDP should generate Posture Tokens - that captures in Real Time the Integrity level of a device and its connection (client device and server device e2e). This in general should be generated post execution of all the control functions that are performed by; UTM -including Intrusion Detection and Prevention control functions, IP FW functions, VPN control functions, admission control functions, and more. The POSTURE TOKENS generated at Runtime is from a comprehensive combination perimeter PDP.

08 Nov 2011 11:13pm GMT

Rakesh Radhakrishnan - Sun: Thoughts on Token Technology Trends- No: 23

Packet and Protocol Port (tokenized ports -NAT and PAT) firewalls (a farm of firewalls) generate path and packet tokens after protocol and port level rules are full enforced. This relates to Appliances such as Cisco ASA that sit on the Perimeter (DMZ) and functions a Packet FW, DPI, NAC, IDS/IPS and UTM all in one - concerted and co-ordinated to generate Posture Tokens -around the integrity of the device and the connection.

08 Nov 2011 11:03pm GMT

Rakesh Radhakrishnan - Sun: Thoughts on Token Technology Trends- No: 22

Token ring was a protocol that leveraged packet tokenization, and with MPLS token buckets are heavily utilized as well. The insertion of tokens within IPv6 packets allows for a rich set of capabilities around identification, authN and authZ of packets as well. Packet tokens augment Path tokens and are combined with protocol tokens to determine (policy based) posture tokens.

08 Nov 2011 10:56pm GMT

Rakesh Radhakrishnan - Sun: Thoughts on Token Technology Trends- No: 21

The next 10 entries will revoke around the topics of DMZ perimeter PDP and network tokens, such as Path Tokens, Packet Tokens, Protocol Token, Posture tokens and the likes that in essence helps validate the integrity of a network connection, network session, device connection (both client and server devices) and more. See a well written paper here.

08 Nov 2011 10:50pm GMT

Jackson Shaw - Quest: Self-service Provisioning with Quest One Identity Manager

There's a great 5 minute video that gives a nice overview of the self-service provisioning capability within Quest One Identity Manager. I've embedded it below or you can get to it here. There are a few key things worth highlighting about this demo that I think you'll be interested in so watch for:
  • How Scott Harris - the approver of Candice Clark being provisioned - is given an indication that there are no separation of duty (SOD) conflicts apparent if Candice is provisioned. What is cool here is that this SOD check is built right into the approval request. This helps move compliance front-and-center to the business manager who is responsible for approving the request.
  • Scott can also easily see the history of the request. In a more complicated scenario Scott would be able to see who else was involved in the workflow request, who initiated the request and via the same interface Scott can also see the next decision steps for the workflow.
Rather than different interfaces for compliance and complex workflows it is possible for business managers to easily understand that they have provisioning requests waiting for them, why they got the request, if approving the request would violate any compliance rules and who else might be involved in approving the request.

These types of capabilities really enable business owners in an organization to participate fully in their company's identity and access governance initiatives.



Technorati Tags: ,,,,,


08 Nov 2011 5:58pm GMT

Ping Talk - Ping Identity: This Week in Identity - Will you vouch for me?

Connect.Me, an online reputation system, moved another step forward by allowing the first batch of users to start vouching for each other. You get to assert aspects of other people ("vouch for them"). Like "engineer", "humorist", or "entrepenuer". Kinda of like one word LinkedIn recommendations. It's a folksonomy, where everyone makes up the terms. And you know what, it feels good. That means there is probably some reality behind it. Check it out! There were several other items of interest to the identity community, including one on valuable identity (click more for the list and links): [More]

08 Nov 2011 3:55pm GMT

Rakesh Radhakrishnan - Sun: Thoughts on Token Technology Trends- No: 20

Along the lines of decoupling an Authentication Token from a STS SAML token, which is a key concept to digest, the idea behind adaptive authentication (such as OAAM) also is critical - since the set of subject tokens made necessary is dependent on the composite risk token associated with the resource consumed and the composite risk token associated with the subject as well. SO thus far we have covered Risk tokens, AuthN tokens, SAMLtokens, etc., in the 1st 20 entries. Now the focus will move on to a related area which is Network tokens and Integrity tokens and more.

08 Nov 2011 2:49pm GMT

Rakesh Radhakrishnan - Sun: Thoughts on Token Technology Trends- No: 19

In some cases innovative companies such as Axcionics generate all three token types (what you have, what you are and what you know) - SIM+OTP+BioMetric all in one to initiate a SAML Session. OpenSSO as an STS was integrated with Axionics as an Authentication mechanism as well. Hence a combination of tokens were generated at the get go and associated with a SAMLtoken in STS.

08 Nov 2011 2:43pm GMT

Rakesh Radhakrishnan - Sun: Thoughts on Token Technology Trends- No: 18

If one can start with a hard token that represents an initiating vector and leverage some sort of biometric credentials (non intrusive) to authenticate a user, and bind the two tokens (or map the tokens with a SAMLtoken) using STS - one of the common ways to integrate and align to authenticated resources within an enterprise that has applications (application with a authN token) is via kerberos (common and popular). This is a key reason why we have SAMLkerberos profile and approaches to integration leveraging an STS.

08 Nov 2011 2:32pm GMT

Rakesh Radhakrishnan - Sun: Thoughts on Token Technology Trends- No: 17

Any hard token acting as the "initiating vector" allows for the STS to bind other token types to it. In general - when authenticating an entity - in this case a subject - similar to a hard token associated with a device (tamper resistant), a hard token associated with a human being is obviously Bio Metrics. The extensibility of the Biomentric AuthN tokens are also critical - such as DNA, fingerprint, facial recognition, retina, and more. Hence multiple Bio Metric token types should be generated by a platform for the right risk context. I am reminded of the OpenSSO (STS) integration with Biobex for this purpose.

08 Nov 2011 2:26pm GMT

Rakesh Radhakrishnan - Sun: Thoughts on Token Technology Trends- No: 16

Similar to blog entry no 15, a TPM token can act as the initiating vector from which a SAMLtoken is generated by an STS and mapped to an OpenID token - like the one demo'd by wave technologies in 2009 at Digital ID world. This was an integrated demo using Ping STS. This same approach can be leveraged with any hardware token from CPU makers such as Intel and AMD.

08 Nov 2011 2:18pm GMT

Rakesh Radhakrishnan - Sun: Thoughts on Token Technology Trends- No: 15

One of the key forking factors for federation is the SIM card and the GBA/GAA tokens that are generated by a the Mobile Operators. To a certain extent for enterprises that are extending their services to the mobile devices, this bootstrapping architecture and AKA/Digest +SIM based GAA allows for some level of device and user context that can be exchanged via SAMLtokens and STS, and augmented with additional authN tokens if needed.

08 Nov 2011 2:14pm GMT