29 May 2015
- NG SIEM tools with Big Data technologies will be Threat Intelligence Aware and Risk/Behavior Intelligence Aware (making them STIS - Security Threat IN Systems)
- Threat Analytics with Big Data Technologies will feed this Threat Intelligence (STIX) to all Security Controls
- This Intelligence driven ESA - will involve Real Time Response (actionable intelligence) and be fine grained in terms of recommended set of actions
- Threat IN will be integrated into the IAM stack for "design time", "provision time" and "run time" IAM control response
- Threat IN will be integrated with Network Security controls and Application+Data Controls (pervasive integration)
- This creates the full loop integration that is required in security systems and is IN (intelligence driven)
- Policy Automation and Dynamic Policy Generation+Combinations will mature the Enterprise Security Architecture to respond real time (hence STIX- XACML specs)
29 May 2015 4:41pm GMT
28 May 2015
Unlike many of my other talks, this one didn't start are a speech and didn't start with a few phrases. This talk started as an analyst briefing deck. It had become clear that many of the identity industry analysts, if they covered customer identity at all, did so with a very narrow view of it. … Continue reading Stop Treating Your Customers Like Your Employees →
28 May 2015 9:36pm GMT
|Photo source: Paul Chapman - The disappearing machine|
Yeah, we get it. Identity is VERY important. Enough already.
The problem with rolling out the same message for years is that people stop listening. It's like the age old line in press releases: "the market leader in"; sure you and every other vendor out there. The market leader. Yeah, right.
Ok, so I'm being a little cynical. But the fact that as an industry, we've had to go all broken-record on this means:
- We've not been very effective in explaining what we mean. AND/OR
- No one gives a crap.
From the 10,000 foot marketing message, we have a habit of diving too deep too quickly, skipping the middle ground and heading straight into explaining, debating and architecting how everything needs to hang together. For example: "You need to federate between the identity provider and service providers using standards like SAML, OAuth or OpenID while maintaining a translatable credential that can be trusted between partner domains. Which OAuth do you mean? 1.0? 2.0? Can't we just go with OpenID Connect? Doesn't that cover the use cases? We're effectively supporting OAuth right?"
Errr, yeah. Sure. Hey, architect person, I'm not entirely sure what all that means, but we do that, right? And why do we do that again?
We often explain the "why should we care" answer by saying "you need security because you do, and identity is the key". And therein lies the problem. The "why should we care" question is difficult to answer in a meaningful, tangible way.
In addition, the reasons tied purely to security and risk no longer resonate. It's arguable that they ever did at all, but we could always pull out the audit, risk and compliance stick to metaphorically beat people with (oops, did I say that out loud).
Today, we often pull out the data-loss card. But we can do better:
I'll explain in the next post.
Organisations should care about identity so they can stop caring about it. Identity needs to disappear, but only from sight; it needs to be invisible.
28 May 2015 11:25am GMT
The world of user data security is vast, complicated, and for many teams, difficult to navigate. When working with a legacy application, it can be difficult to determine the first, easy steps to ensure your user and customer data is more secure. But a few quick tips can dramatically improve user data security in most environments. At Stormpath, user data security is our top priority, so we want to share a few ideas to help you upgrade quickly.
Step 1: Separate The User Store from Application Data
One of the first - and easiest - steps to increase customer data security in the cloud is to separate user credentials and personally identifiable information (PII) from application data. Separating the user store ensures that any data collected by or provided to your application is not easily matched to its owner. What you separate depends on the application's use case, but typically separated user data includes usernames, email, passwords and PII such as addresses or geolocational data.
This separation of user data provides several benefits:
- It simplifies the task of keeping your users anonymous. If an attacker finds a way into your application data, it will be harder for them to tie that data to a user or any of the user data they may be after (PII).
- It can simplify your security overhead by isolating user data, which demands higher security, from application data that may need to be easier to access and manipulate for performance reasons.
- It can make it easier to meet privacy requirements, whether imposed by a government, company or user demand.
- It is a requirement in some parts of the medical and financial industries: this method supports HIPAA compliance, as well as other standards.
One of the typical use cases for Stormpath is to create a totally separate data store that runs on separate infrastructure, either in our public cloud, our isolated enterprise cloud, or on a private deployment. The separation of infrastructure increases user security even further - user data is less vulnerable to attacks on your core system and network.
Of course, don't forget that user authentication data and PII should be protected and well-encrypted, both at rest and in transit, which brings us to the second step.
Step 2: Use a Strong Password Hashing Algorithm
We all know that user authentication data shouldn't be stored in plaintext, but do we all follow that rule? By one estimate, 30% of companies store or transmit passwords in plaintext.
Employing an advanced hashing algorithm like bcrypt or scrypt makes hacking authentication data more difficult and more time intensive. Both of these algorithms are designed to take a long time to compute a hash in order to slow down brute force cracking attempts. Bcrypt, for example, uses a CPU-intensive algorithm to ensure password attacks require enormous computing power. Scrypt takes it one step further by requiring enormous amounts of memory to compute password hashes in addition to its high CPU requirements. Thus, attackers are forced to spend lots of time and money to attempt even the smallest of password cracking operations.
Last, remember to encrypt your backups and database dumps. It seems obvious, but forgetting this step introduces a common attack vector in cloud computing. If your backup process doesn't involve AES256, you might have an issue. If you're looking for a secure way to store offsite backups, you might enjoy using tarsnap (created and ran by the Colin Percival, the creator of scrypt).
We believe it's faster to use Stormpath's pre-built Password Securityand one of our 15-minute quickstarts than to roll your own password security. But if you must build it yourself, check out our blogpost on building Password Security the Right Way and our handy Developer Best Practices Video on the Five Steps to Password Security.
Step 3: Frequently Update Your Hashing Complexity
When was the last time you updated your password hashing algorithm's complexity?
One of the most common attack vectors is password infrastructure that hasn't been properly maintained.
All hashing algorithms will be broken over time, and as you can see from that chart, some commonly-used hashes are actually incredibly insecure. There are two ways to stay ahead of the curve:
Make it part of annual plan to update your hashes annually by increasing the factor or entropy. Using bcrypt or scrypt gives you the ability to tweak the 'complexity' of your hashing algorithm (changing how long it takes to compute a hash) via a configuration option.
If you have any infrastructure currently securing passwords with anything other than bcrypt or scrypt, upgrade them to bcrypt or scrypt immediately. To make this truly easy for you, here are some upgrade tutorials for Python and PHP. Lot of other examples can be found online.
At Stormpath, we update our hashing complexity every 6-12 months, and can help migrate from your legacy user store to Stormpath Password Security if you don't want to build this yourself.
28 May 2015 12:30am GMT
There's been interest being able to not base64url-encode the JWS Payload under some circumstances by a number of people. I've occasionally thought about ways to accomplish this, and prompted again by discussions with Phillip Hallam-Baker, Martin Thomson, Jim Schaad, and others at IETF 92 in Dallas, recollections of conversations with Matt Miller and Richard Barnes […]
28 May 2015 12:03am GMT
27 May 2015
The -01 version of draft-jones-jose-key-managed-json-web-signature tightened the semantics by prohibiting use of "dir" as the "alg" header parameter value so a second equivalent representation for content integrity-protected with a MAC with no key management isn't introduced. (A normal JWS will do just fine in this case.) Thanks to Jim Schaad for pointing this out. This […]
27 May 2015 11:55pm GMT
Mike Jones - Microsoft: JWK Thumbprint -05 draft addressing issues raised in Kathleen Moriarty’s AD review
This JWK Thumbprint draft addresses issues raised in Kathleen Moriarty's AD review of the -04 draft. This resulted in several useful clarifications. This version also references the now-final JOSE RFCs. The specification is available at: http://tools.ietf.org/html/draft-ietf-jose-jwk-thumbprint-05 An HTML formatted version is also available at: http://self-issued.info/docs/draft-ietf-jose-jwk-thumbprint-05.html
27 May 2015 8:30pm GMT
What a couple of weeks they've been!
I absolutely loved the chance to speak directly with so many of you. You are doing pretty amazing stuff with our dev libraries, and your feedback is key for ensuring that we keep delivering on the features you need.
If you want to catch up, below you [...]
27 May 2015 4:58pm GMT
Fredericia School of Maritime and Tech Engineering has just joined WAYF. Users here now have the ability to access WAYF-connected web services using their institutional accounts.
27 May 2015 11:41am GMT
Julian Bond: Bruce Sterling's Austin, Texas, SXSW keynote speech from 2014. "The future is about old people, in big...
Bruce Sterling's post today on tumblr of Austin, Texas in 2015. Photos of a city, floods, menacing skies. You can't see the old people because they're all in cars.
And four other intriguing things: when otters attack, the objects of brain interfaces, WWI diaries, and a digital model of a piano.
[from: Google+ Posts]
27 May 2015 8:11am GMT
26 May 2015
On May 26,1927 Henry Ford and his son Edsel drove the final Model T out of the Ford factory. Completion of this 15 millionth Model T Ford marked the famous automobile's official last day of production. The History.com article stated More than any other vehicle, the relatively affordable and efficient Model T was responsible for accelerating the [...]
26 May 2015 6:16pm GMT
On May 25, 1961, President John F. Kennedy announced his goal of putting a man on the moon by the end of the decade. A brief excerpt of the speech: I believe that this nation should commit itself to achieving the goal, before this decade is out, of landing a man on the moon and returning him [...]
26 May 2015 5:15pm GMT
Incorporating all the current health buzzwords in your diet doesn't necessarily mean you are eating healthy: Tom Fishburne (aka Marketoonist) explains: It's a tricky time to be a food marketer. How consumers define what it means to be "healthy" is in flux. As a food marketing friend pointed out, consumers are increasingly prioritizing food purity [...]
26 May 2015 5:04pm GMT
OAuth 2.0 is the preferred mechanism for authorizing native mobile applications to their corresponding API endpoints. In order to be authorized, the native application attaches an OAuth access token to its API calls. Upon receiving a call, the API extracts the token, validates it (checks issuer, lifetime, associated authorizations, etc) and then determines whether the [...]
26 May 2015 11:48am GMT
25 May 2015
My recent posts about ForgeRock attracted a lot of attention. The reactions filled the spectrum almost completely. I've seen agreement, disagreement, peaceful and heated reactions. Some people were expressing thanks, others were obviously quite upset. Some people seem to take it as an attack on ForgeRock. This was not my goal. I didn't want to harm ForgeRock or anyone else personally. All I wanted is to express my opinion about a software that I'm using and write down the story of our beginnings. But looking back I can understand that this kind of expression might be too radical. I haven't though about that. I'm an engineer, not a politician. Therefore I would like to apologize to all the people that I might have hurt. It was not intentional. I didn't want to declare a war or anything like that. If you have understood it like that, please take this note as an offer of peace.
A friend of mine gave me a very wise advice recently. What has happened is a history. What was done cannot be undone. So, let it be. And let's look into the future. After all, if it haven't been for all that history with Sun, Oracle and ForgeRock we probably would not have the courage to start midPoint as an independent project. Therefore I think I should be thankful for this. Do not look back, look ahead. And it looks like there are great things silently brewing under the lid ...
(Reposted from https://www.evolveum.com/pax/)
25 May 2015 2:50pm GMT
22 May 2015
According to the 2015 Bad Bot Landscape report, published by Distil Networks, only 40% of Internet traffic is generated by humans! Good bots (e.g. Googlebot and Bingbot for search engines) account for 36% or traffic, while bad bots account for 23%. Bad bots continue to place a huge tax on IT security and web infrastructure teams across the globe. [...]
22 May 2015 6:16pm GMT