31 Oct 2014

feedPlanet Identity

WAYF News: Royal Society of Chemistry now a WAYF service

Online resources from the chemistry publisher Royal Society of Chemistry (RSC) can now be accessed through WAYF. Institutions connected to WAYF and subscribing to the RSC services must write to ejournals@rsc.org to have their WAYF access enabled.

31 Oct 2014 12:29pm GMT

Kuppinger Cole: 11.03.2015: Identity Management Crash Course

In KuppingerCole

An overall view on IAM/IAG and the various subtopics - define your own "big picture" for your future IAM infrastructure.

31 Oct 2014 10:43am GMT

Kuppinger Cole: 12.03.2015: Mastering Cyber Defense 2020. Enabling Business Transformation

In KuppingerCole

Your business is changing. The IoT, mobile users, tight interaction with customers, mobility, etc.: Information Security has to enable this transformation by mitigating security risks.

31 Oct 2014 10:26am GMT

30 Oct 2014

feedPlanet Identity

Matt Flynn - NetVision: A Few Thoughts on Privacy in the Age of Social Media

Everyone already knows there are privacy issues related to social media and new technologies. Non-tech-oriented friends and family members often ask me questions about whether they should avoid Facebook messenger or flashlight apps. Or whether it's OK to use credit cards online in spite of recent breach headlines. The mainstream media writes articles about leaked personal photos and the Snappening. So, it's out there. We all know. We know there are bad people out there who will attempt to hack their way into our personal data. But, that's only a small part of the story.

For those who haven't quite realized it, there's no such thing as a free service. Businesses exist to generate returns on investment capital. Some have said about Social Media, "if you can't tell what the product is, it's probably you." To be fair, most of us are aware that Facebook and Twitter will monetize via advertising of some kind. And yes, it may be personalized based on what we like or retweet. But, I'm not sure we fully understand the extent to which this personal, potentially sensitive, information is being productized.

Here are a few examples of what I mean:

Advanced Profiling

I recently viewed a product marketing video targeted to communications service providers. It describes that massive adoption of mobile devices and broadband connections suggesting that by next year there will be 7.7 billion mobile phones in use with 15 billion connections globally. And that "All of these systems produce an amazing amount of customer data" to the tune of 40TB per day; only 3% of which is transformed into revenue. The rest isn't monetized. (Gasp!) The pitch is that by better profiling customers, telcos can improve their ability to monetize that data. The thing that struck me was the extent of the profiling.

As seen in the screen capture, the user profile presented extends beyond the telco services acquired or service usage patterns into the detailed information that flows through the system. The telco builds a very personal profile using information such as favorite sports teams, life events, contacts, location, favorite apps, etc. And we should assume that favorite sports team could easily be religious beliefs, political affiliations, or sexual interests.

IBM and Twitter

On October 29, IBM and Twitter announced a new relationship that enables enterprises to "incorporate Twitter data into their decision-making." In the announcement, Twitter describes itself as "an enormous public archive of human thought that captures the ideas, opinions and debates taking place around the world on almost any topic at any moment in time." And now all of those thoughts, ideas, and opinions are available for purchase through a partnership with IBM.

I'm not knocking Twitter or IBM. The technology behind these capabilities is fascinating and impressive. And perhaps Twitter users allow their data to be used in these ways by accepting the Terms of Use. But, it feels a lot more invasive to essentially provide any third party with a siphon into the massive data that is our Twitter accounts than it would be to, for example, insert a sponsored tweet into my feed that may be selected based on which accounts I follow or keywords I've tweeted.

Instagram Users and Facebook

I recently opened Facebook to see an updated list of People I may know. Most Facebook users are familiar with the feature. It can be an easy way to locate old friends or people who recently joined the network. But something was different. The list was heavily comprised of people who I sort of recognize but have never known personally.

I realized that Facebook was trying to connect me with many of the people behind the accounts I follow on Instagram. Many of these people don't use their real names, talk about their work, or discuss personal family matters on Instagram. They're photographers sharing photos. Essentially, they're artists sharing their art with anyone who wants to take a look. And it feels like a safe way to share.

But now I'm looking at a profile of someone I knew previously only as "Ty_Chi the landscape photographer" and I can now see that he is actually Tyson Kendrick, retail manager from Chicago, father of three girls and a boy. Facebook is telling me more than Mr. Kendrick wanted to share. And I'm looking at Richard Thompson, who's a marketing specialist for one of the brands I follow. I guess Facebook knows the real people behind brand accounts too. It started feeling pretty creepy.

What does it all mean?

Monetization of social media goes way beyond targeted advertising. Businesses are reaching deep into any available data to make connections or discover insights that produce better returns. Service providers and social media platforms may share customer details with each other or with third parties to improve their own bottom lines. And the more creative they get, the more our sense of privacy erodes.

What I've outlined here extends only slightly beyond what I think most people expect. But, we should collectively consider how far this will all go. If companies will make major financial decisions based on Twitter user activity, will there be well-funded campaigns to change user behavior on Social Media platforms? Will the free-flow exchange of ideas and opinions become more heavily and intentionally influenced?

The sharing/exchanging of users' personal data is becoming institutionalized. It's not a corner case of hackers breaking in. It's a systemic business practice that will grow, evolve, and expand.

I have no recipe to avoid what's coming. I have no suggestions for users looking to hold onto to the last threads of their privacy. I just think it's worth thinking critically about how our data may be used and what that may mean for us in years to come.

30 Oct 2014 2:02pm GMT

Vittorio Bertocci - Microsoft: ADAL .NET v3 Preview: PCL, Xamarin iOS and Android Support

It's again preview time for ADAL .NET! I can't believe we are already working on version 3 - this pace would have been unthinkable just few years back, and yet today it is barely enough to keep up with the new possibilities that the tech landscape offers.

Version 1 and 2 have been enjoying great [...]

30 Oct 2014 11:00am GMT

Kuppinger Cole: 25.11.2014: From Privacy Impact Assessments (PIA) to Information Risk Assessments

In KuppingerCole

Privacy Impact Assessments (PIAs) are already or soon will be a legal requirement in many jurisdictions or sectors (i.e. payment cards sector). They provide a great help for institutions to focus on privacy and data flows and therefore provide an interesting entry point into an overall discussion on Information and identity-related risks. In this webinar, KuppingerCole´s fellow analysts Scott David and Karsten Kinast will discuss with you about PIAs as a natural starting point for a broader...

30 Oct 2014 9:20am GMT

29 Oct 2014

feedPlanet Identity

Kuppinger Cole: 04.12.2014: Identity & Access Management als Fundament für das Digitale Business

In KuppingerCole

Das Digitalzeitalter, die Verschmelzung der digitalen mit der "wirklichen", der analogen Welt, verändert unser Geschäft grundlegend und irreversibel. Bestehende Geschäftsmodelle an die neuen Anforderungen anzupassen und neue Chancen wirksam und effizient zu nutzen, ist die große Herausforderung dieser Transformation und unserer Zeit. Plötzlich ist die IT überall und Bestandteil aller Ebenen der Wertschöpfung. Alle Beziehungen eines Unternehmens, insbesondere aber die zu Kunden und...

29 Oct 2014 7:57am GMT

28 Oct 2014

feedPlanet Identity

Paul Madsen: Less is more

I attended GigaOM's Structure Connect conference in San Francisco last week. The event was great, lots of interesting discussions & panels.

I was in a 'Securing the IoT' breakout session where one of the GigaOM analysts made the assertion (paraphrasing)

Developers need better training on security, they need to take more responsibility for securing their applications.

This actually runs completely counter to what I've been seeing as the overarching trend around application security, namely that developers need to take (or even be given) less responsibility for securing their applications - not more.

If their app has to handle $$, do developers directly track currency exchange rates? No, they find an API that does that and so removes them from a task secondary to that of the application itself. The currency API abstracts away from the developer all the messiness - they make a simple REST call and get back a tidy bit of JSON to parse & use.

From the developers point of view, why would security be different? Do they want to deal with the specific details of supporting different authentication protocols, crypto etc. Or would they prefer to focus on adding features and functionality to their apps?

The trend towards lightening the security load for developers manifests in various ways

The Facebook SDK for iOS provides various login experiences that your app can use to authenticate someone. This document includes all the information you need to know in order to implement Facebook login in your iOS app.

Google has the comparable the Google+ Sign-In, the documentation for which asserts

Avoid the hassle of creating your own authentication systemGoogle+ Sign-In mitigates data-breach risks and reduces the burden and costs of identity security. The Google authentication window creates a trusted link between you, your users, and their Google account.

The above are all examples of freeing application developers from having to bear full responsibility for securing APIs & native applications. And last I checked, both will be relevant for the Internet of Things. Freed from the burden of security, IoT developers will be able to focus their attention where they should - namely creating new & interesting visual paradigms for my wearable step data.

28 Oct 2014 8:39pm GMT

Nishant Kaushik - Oracle: The SCUID has a new home. At CA Technologies

Identity is the key to a secure, agile, cloud-based world. Which means that managing and using identities has to be easy, seamless, inherent, cost-effective. Enabling that was the mission when I joined Identropy to build what would become SCUID. We believed that the future of identity management lay in the cloud, and required a fundamental rethink of the business...

The post The SCUID has a new home. At CA Technologies appeared first on Talking Identity | Nishant Kaushik's Look at the World of Identity Management.

28 Oct 2014 5:22pm GMT

Vittorio Bertocci - Microsoft: ADAL JavaScript and AngularJS – Deep Dive

Many web apps are structured as "single page apps", or SPA: they have a JavaScript-heavy frontend and a Web API backend. Notable examples: Outlook Web App, Gmail.

Properly securing SPA's traffic between its JS frontend and its Web API backend requires an OAuth2 flow, the implicit grant, that Azure AD did not expose… until today's [...]

28 Oct 2014 3:00pm GMT

Ludovic Poitou - ForgeRock: 2014 European IRM Summit in only a few days away !

Starting Monday next week, at the Powerscourt Estate near Dublin, the European IRM Summit is just a few days away. I'm polishing the content and demos for the 2 sessions that I'm presenting, one for each product that I'm managing: OpenDJ and OpenIG. Both take place on the Wednesday afternoon in the Technology Overview track. […]

28 Oct 2014 1:42pm GMT

27 Oct 2014

feedPlanet Identity

Katasoft: A Simple Web App with Node.js, Express, Bootstrap & Stormpath -- in 15 Minutes

Here at Stormpath we <heart> Node.js - it's so much fun to build with! We're built several libraries to help node developers achieve user management nirvana in your applications.

If you've built a web app before, you know that all the "user stuff" is a royal pain. Stormpath gives [developers all that "user stuff" out-of-the-box] (https://docs.stormpath.com/nodejs/express/) so you can get on with what you really care about - your app! By the time you're done with this tutorial ( < 15 minutes, I promise), you'll have a fully-working Express app.

We will focus on our Express-Stormpath library to roll out a simple Express.js web application, with a complete user registration and login system, with these features:

  • Login and Registration pages
  • Password reset workflows
  • A profile page for your logged in users
  • A customizable home page
  • The ability to add other Stormpath features in our Express-Stormpath library (API authentication, SSO, social login, and more)

In this demo we will be using Express 4.0, we'll discuss some of the great features of Express 4.0 as we go along. I will be using my Mac, the Terminal app, and Sublime Text for a text editor.

What is Stormpath?

Stormpath is an API service that allows developers to create, edit, and securely store user accounts and user account data, and connect them with one or multiple applications. Our API enables you to:

  • Authenticate and authorize your users
  • Store data about your users
  • Perform password and social based login
  • Send password reset messages
  • Issue API keys for API-based web apps
  • And much more! Check out our Product Documentation

In short: we make user account management a lot easier, more secure, and more scalable than what you're probably used to.

Ready to get started? Register for a free developer account at https://api.stormpath.com/register

Start your project

Got your Stormpath developer account? Great! Let's get started.. vroom vroom

If you don't already have Node.js on your system you should head over to https://nodejs.org and install it on your computer. In our examples we will be using a Mac, all commands you see should be entered in your Terminal (without the $ in front - that's a symbol to let you know that these are terminal commands)

Step one is to create a folder for this project and change into that directory:

$ mkdir my-webapp
$ cd my-webapp

Now that we are in the folder we will want to create a package.json file for this project. This file is used by Node.js to keep track of what libraries (aka modules) your project depends on. To create the file:

$ npm init

You will be asked a series of questions, for most of them you can just press enter to allow the default value to be used. Here is what I chose, I decided to call my main file app.js, I set my own description and set the license to MIT - everything else I just pressed enter on:

Press ^C at any time to quit.
name: (my-webapp)
version: (0.0.0)
description: Website for my new app
entry point: (index.js) app.js
test command:
git repository:
license: (ISC) MIT
About to write to /private/tmp/my-webapp/package.json:

  "name": "my-webapp",
  "version": "0.0.0",
  "description": "Website for my new app",
  "main": "app.js",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  "author": "",
  "license": "MIT"

Is this ok? (yes) yes

With that I will now have a package.json file in my folder. I can take a look at what's in it:

$ cat package.json

  "name": "my-webapp",
  "version": "0.0.0",
  "description": "Website for my new app",
  "main": "app.js",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  "author": "",
  "license": "MIT"

Looks good! Now let's install the libraries we want to use. You can install them all with this command:

$ npm i --save express express-stormpath jade forms csurf xtend

The save option will add this module to your dependencies in package.json. Here is what each module does:

  • Express.js is the web framework that everything else is built on
  • Express-stormpath provides convenience features that can be tied in to the Express app, making it very easy to use Stormpath's features in Express
  • Jade is a templating engine for writing HTML pages
  • Forms is a module that will take the pain out of validating HTML forms
  • Csurf adds CSRF protection to our forms
  • Xtend is a utility library that makes it easy to copy properties from one JavaScript object to another.

Gather your API Credentials and Application Href

The connection between your app and Stormpath is secured with "API Key Pair". You will provide these keys to your web app and it will use them when it communicates with Stormpath. You can download your API key pair in our Admin Console. After you login you can download your API key pair from the home page, it will download the apiKey.properties file - we will use this in a moment.

While you are in the Admin Console you want to get the href for your default Stormpath Application. In Stormpath, an Application object is used to link your web app to your user stores inside Stormpath. All new developer accounts have an app called "My Application". Click on "Applications" in the Admin Console, then click on "My Application". On that page you will see the Href for the Application. Copy this - we will need it shortly.

Writing the application entry (app.js)

It's time to create app.js, this will be the entry point for your server application. You can do that from Sublime Text or you can do this in the terminal:

$ touch app.js

Now open that file in Sublime Text and put the following block of code in it:

var express = require('express');
var stormpath = require('express-stormpath');

var app = express();

app.set('views', './views');
app.set('view engine', 'jade');

var stormpathMiddleware = stormpath.init(app, {
  apiKeyFile: '/Users/robert/.stormpath/apiKey.properties',
  application: 'https://api.stormpath.com/v1/applications/xxx',
  secretKey: 'some_long_random_string',
  expandCustomData: true,
  enableForgotPassword: true


app.get('/', function(req, res) {
  res.render('home', {
    title: 'Welcome'


You'll need to set the location of apiKeyFile to be the location on your computer where you saved the file. You also need to set the application href to be the one that you looked up earlier.

The secretKey value should be changed as well, this will be used as a key for encrypting any cookies that are set by this webapp. I suggest using a long, random string of any type of character.

In this example we've enabled some stormpath-specific options, they are:

  • The password reset flow via enableForgotPassword - this will enable a password reset page at /forgot
  • Auto-expansion of custom data - this will come in handy later when we build the profile page

There are many more options that can be passed, and we won't cover all of them in this demo. Please seee the Express-Stormpath Documentation for a full list

Create your home page

Let's get the easy stuff out of the way: your home page. Create a views directory and then create a Jade file for the home page:

$ mkdir views
$ touch views/home.jade

Now open that file in Sublime Text and put the following in it:

    link(href='//netdna.bootstrapcdn.com/bootstrap/3.1.1/css/bootstrap.min.css', rel='stylesheet')
        h1 Hello!

        if user
          p Welcome, #{user.fullName}
            a.small(href="profile") Edit my profile
          a.btn.btn-primary(href="/logout") Logout
          p Welcome to my app, ready to get started?
            a.btn.btn-primary(href="/login") Login now
            span.small Don't have an account?
            span &nbsp;
            a.small(href="/register") Register now

This is a simple view that will prompt a new visitor to log in, or greet a registered user if they have already logged in.

With that… we've got something we can look at!

Run the server - It's Aliiiive!

I kid you not: your application is ready to be used. Just run this command to start the server:

$ node app.js

This will start your app which is now running as a web server on your computer. You can now open this link in your browser:


You should see your home page now:

Node App Home

Go ahead, try it out! Create an account, you will be redirected back to the home page and shown your name. Then logout and login again, same thing! Pretty amazing, right??

Pro tip: use a file watcher

As we move forward we will be editing your server files. You will need to restart the server each time. You can kill the server by typing Ctrl + C in your Terminal. But I suggest using a "watcher" that will do this for you.

I really like the Nodemon tool. You can install it globally (it will always be ready for you!) with this command:

$ npm install -g nodemon

After installation, you can then run this command:

$ nodemon app.js

This will start your server and watch for any file changes. Nodemon will automatically restart your server if you change any files - sweet!

Create the profile page

A common feature of most sites is a "Dashboard" or "profile" page - a place where your visitor provide some essential information.

For example purposes, we're going to build a profile page that allows you to collect a shipping address from your visitors. We will leverage Custom Data, one of the most powerful features of stormpath

To begin, let's create a new view for this dashboard:

$ touch views/profile.jade

And a JavaScript file where the route handler will live:

$ touch profile.js

Now we've got some copy-and-paste work to do. These two files are pretty big, so we'll explain them after the paste.

Paste this into profile.js:

var express = require('express');
var forms = require('forms');
var csurf = require('csurf');
var collectFormErrors = require('express-stormpath/lib/helpers').collectFormErrors;
var stormpath = require('express-stormpath');
var extend = require('xtend');

// Declare the schema of our form:

var profileForm = forms.create({
  givenName: forms.fields.string({
    required: true
  surname: forms.fields.string({ required: true }),
  streetAddress: forms.fields.string(),
  city: forms.fields.string(),
  state: forms.fields.string(),
  zip: forms.fields.string()

// A render function that will render our form and
// provide the values of the fields, as well
// as any situation-specific locals

function renderForm(req,res,locals){
  res.render('profile', extend({
    title: 'My Profile',
    csrfToken: req.csrfToken(),
    givenName: req.user.givenName,
    surname: req.user.surname,
    streetAddress: req.user.customData.streetAddress,
    city: req.user.customData.city,
    state: req.user.customData.state,
    zip: req.user.customData.zip

// Export a function which will create the
// router and return it

module.exports = function profile(){

  var router = express.Router();


  // Capture all requests, the form library will negotiate
  // between GET and POST requests

  router.all('/', stormpath.loginRequired, function(req, res) {
      success: function(form){
        // The form library calls this success method if the
        // form is being POSTED and does not have errors

        // The express-stormpath library will populate req.user,
        // all we have to do is set the properties that we care
        // about and then cal save() on the user object:
        req.user.givenName = form.data.givenName;
        req.user.surname = form.data.surname;
        req.user.customData.streetAddress = form.data.streetAddress;
        req.user.customData.city = form.data.city;
        req.user.customData.state = form.data.state;
        req.user.customData.zip = form.data.zip;
              errors: [{
                error: err.userMessage ||
                err.message || String(err)
      error: function(form){
        // The form library calls this method if the form
        // has validation errors.  We will collect the errors
        // and render the form again, showing the errors
        // to the user
          errors: collectFormErrors(form)
      empty: function(){
        // The form library calls this method if the
        // method is GET - thus we just need to render
        // the form

  // This is an error handler for this router

  router.use(function (err, req, res, next) {
    // This handler catches errors for this router
    if (err.code === 'EBADCSRFTOKEN'){
      // The csurf library is telling us that it can't
      // find a valid token on the form
        // session token is invalid or expired.
        // render the form anyways, but tell them what happened
          errors:[{error:'Your form has expired.  Please try again.'}]
        // the user's cookies have been deleted, we dont know
        // their intention is - send them back to the home page
      // Let the parent app handle the error
      return next(err);

  return router;

Paste this into profile.jade:


        h1 My Profile

      if errors
        each error in errors
            span #{error.error}
      if saved
          span Your profile has been saved
      form.login-form.form-horizontal(method='post', role='form')
        input(name='_csrf', type='hidden', value=csrfToken)

          label.col-sm-4 First Name
              placeholder='Your first name',
          label.col-sm-4 Last Name
            input.form-control(placeholder='Your last name',
          label.col-sm-4 Street address
            input.form-control(placeholder='e.g. 123 Sunny Ave',
          label.col-sm-4 City
            input.form-control(placeholder='e.g. City',
          label.col-sm-4 State
            input.form-control(placeholder='e.g. CA',
          label.col-sm-4 ZIP
            input.form-control(placeholder='e.g. 94116',
            button.login.btn.btn-primary(type='submit') Save
          a(href="/") Return to home page

Breaking it down

You've just created an Express Router. Saywha? I really like how the Express maintainers have described this:

A router is an isolated instance of middleware and routes.
Routers can be thought of as "mini" applications, capable only
of performing middleware and routing functions. Every express
application has a built-in app router.

… saywha?

In my words: Express 4.0 encourages you to break up your app into "mini apps". This makes everything much easier to understand and maintain. This is what we've done with the profile.js file - we've created a "mini app" which handles JUST the details associated with the profile page.

Don't believe me? Read on.

Plug in your profile page

Because we followed the Router pattern, it's now this simple to add the profile page to your existing app.js file (put it right above the call to app.listen):


Omg. Yes. YES. You've just decoupled the implentation of a route from it's addressing. Holy grail? Almost. Awesome? Most Def.

Restart your sever and visit /profile, you should see the form now:

Node App Home

Breaking it down - for real

Okay, there's a LOT more to talk about here. So let me cover the important points:

  • The profile.js file is a builder or constructor, so to speak. You have to invoke it as a method in order to get the router out of it. That's why we have that empty () after the require('./profile') statement. Why bother? Because with this pattern you can pass in any options that may be required for this router. At the moment we don't have any, but who knows what the future holds? Doing this give you room to use this router in multiple web apps and factor out any app-specific config.

  • We are using the forms library to create a schema for the profile form. This is a good practice because it separates the way in which we validate from the form from the way in which the form is displayed.

  • We have a renderForm function which is responsible for creating the view model of the form - this model is passed down to the Jade layer, so that profile.jade has all the properties it needs for rendering the form. This render function ensures that our template layer doesn't blow up with missing values

  • We are using the Csurf library to add CSRF tokens to the form as a security measure. This is done automaticaly for the default forms (login, registration, password reset), but because this is a new, custom router, we have to setup those details manually

  • We reach into the Express-Stormpath library to grab our collectFormErrors function, a handy utility for pulling validation errors out of the response we get from the forms library. Note to self: PR that in to forms library!

  • We make use of the loginRequired middleware to ensure that users are logged in before they can use this profile page

Wrapping it up

Alas, we've reached the end of this tutorial. You now have a web app that can reigster new users and allow them to provide you with a shipping address, pretty sweet right?

Following the profile example you now have everything you need to start building other pages in your application. As you build those pages, I'm sure you'll want to take advantage of some other great features, such as:

Those are just a few of my favorites, but there is so much more!

Please read the Express-Stormpath Product Guide for details on how to implement all these amazing features - and don't hesitate to reach out to us!

WE LOVE WEB APPS and we want your user management experience to be 10x better than you ever imagined.

-robert out

27 Oct 2014 6:00pm GMT

Courion: Increase IT Efficiency & Improve Security with Intelligence Enabled IAM

Access Risk Management Blog | Courion

David Paparello"Too much to do, too few resources."

This is a phrase that all too frequently comes up in the discussions that I have with IT staff in organizations around the globe. They feel never-ending pressure to improve security and service to the business, but usually with the same or fewer resources. This is a challenge that is especially glaring when trying to marry solid Identity and Access Management practices with current business processes.

For example, a security manager I spoke to at a large health organization was nearly brought to tears as he talked about the need to accurately track an ever-changing user population where the same person might move through multiple roles and through multiple access scenarios in the course of just a week. At another organization, a help desk manager I worked with wrestled daily with an avalanche of access requests from users who had no idea what access to request, and were seeking help from administrators who in turn had no idea what access users actually needed.

What's often needed in these situations is an IAM program that is centered on incremental progress that can provide some instant relief while also generating the time and resources needed so that the program can subsequently be expanded into a comprehensive solution. The key is to know where to begin, and to aim for quick business value. Those quick wins will help free-up resources by simplifying and automating processes that typically suck-up valuable manpower and time. Each incremental win then makes it easier to maintain momentum and expand user buy-in within the organization.

To get started with an IAM program that supports this kind of continuous improvement, you should first understand your identity and access landscape. By leveraging intelligence, as with Courion's Access Insight, you can get an immediate evaluation of Microsoft Active Directory, a key system for most organizations. Acess Insight dashboardThe dashboards included with Access Insight highlight potentially urgent security issues as well as IAM processes that may be broken. Access Insight integrates with the Access Assurance Suite or other IAM solutions so you can drill down to fix those broken processes and promptly disable access for terminations and properly manage non-employee access.

Another benefit of getting the big picture view of your identity and access landscape with Access Insight is to better understand who has access to what and to put automated processes in place to refresh that information at least daily. Even the most complex scenarios benefit greatly from putting rules in place that can automatically map access for 70-95% of the workforce. Allowances can be made for exceptions to be handled manually so that no one falls through the cracks.

With this real-time access information available as a foundation, you can then tackle any number of pain points. For example, most often, the onboarding and offboarding processes for user accounts cry out for attention. Offboarding, both planned and unplanned, is generally simple to address with an intelligence-enabled IAM solution such as the Courion Access Assurance Suite, alleviating security and/or audit concerns.

In addition, automating at least basic, birthright access for new hires can be both a quick win and a foundation for continuous improvement. Role-based access can be incrementally added to the new hire process. You can pick and choose where it's worth investing effort, for example, where job turnover is high, or where access is very similar across a function. Implementing some roles into this process delivers a triple win - providing the right access (better security) at the right time (improved service) and reducing the number of access requests (boost IT efficiency).

Leveraging intelligence, you can start to cut down on the effort required to develop roles. Intelligence solutions such as Access Insight use analytics to attack the mountain of access data available to find those access patterns to suggest appropriate access for a user. Let the computer do the work!

If your help desk is struggling to keep up, there are several ways to alleviate the pressure while also enhancing security and providing better customer service. For example, a streamlined, centralized access request process provides these multiple benefits.

I often remember an IT manager I worked with at a manufacturing company whose request process included 140 different forms! It was a huge improvement when we helped his organization move to a simple, one-stop access request shopping solution that included a full audit trail and built-in approval process.

Access ProvisioningWith an Intelligent-enabled IAM solution such as the Courion Access Assurance Suite, the request process is enhanced, because it provides guidance to the user regarding what to request. This is done via intelligent modeling of user access, which suggests access options for users in similar roles. The Access Assurance Suite also provides 'guard rails' against the inadvertent provisioning of inappropriate access because it automatically checks for possible policy violations, such as Segregation of Duty, during the request process.AAS highlighting a SOD violation in 8 4 2nd

As fundamental as it may seem, a self-service password management solution is also of great benefit to users, IT and help desk staff. Password reset calls often account for 25% or more of help desk calls. Shifting those inbound requests to a self-service process will free up IT and help desk time to tackle more high value activities while allowing end users to avoid waiting on a phone to get a password reset.

Last on this list but not last in priority, is the recertification of user access. Access recertification is a best practice and, likely, a legal and audit requirement. With an intelligence-enabled IAM solution in place this effort can begin by assembling data that details 'who has access to what'. You can then leverage that information to provide a business-friendly recertification process that does not tax IT resources with hours of assembling spreadsheets from a multitude of systems.

While periodic re-certifications are important and necessary, Intelligence also allows you to trigger automated 'micro-certifications' based on policies you define. For example, you may create a policy where a user who gets access to highly sensitive data outside the norm kicks off an access recertification process. This type of risk-aware micro-certification reduces the kind of access risk that exists where waiting six months for the next review could be dangerous. This has the added benefit of maintaining compliance continuously, thus expediting the next audit you face.Find access

Clearly, it's possible to make significant progress in a relatively short time. The key is that these are not Band-Aid solutions, but the bricks that form a solid foundation for building a comprehensive, flexible and risk-aware IAM solution.


27 Oct 2014 3:15pm GMT

25 Oct 2014

feedPlanet Identity

Anil John: A C2G Identity Services Overview of Canada

A high level technical overview of the components of Canada's Cyber Authentication Renewal Initiative

25 Oct 2014 1:30pm GMT

Mike Jones - Microsoft: JOSE -36 and JWT -30 drafts addressing additional IESG review comments

These JOSE and JWT drafts incorporate resolutions to some previously unresolved IESG comments. The primary change was adding flattened JSON Serialization syntax for the single digital signature/MAC and single recipient cases. See http://tools.ietf.org/html/draft-ietf-jose-json-web-signature-36#appendix-A.7 and http://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-36#appendix-A.5 for examples. See the history entries for details on the few other changes. No breaking changes were made. The specifications […]

25 Oct 2014 6:28am GMT

24 Oct 2014

feedPlanet Identity

Radovan Semančík - nLight: How to Start Up an Open Source Company

Evolveum is a successful open source company now. We develop open source Identity and Access Management (IAM) software. We have legally established Evolveum in 2011 but the origins of Evolveum date back to mid-2000s. In 2014 we are getting out of the startup stage into a sustainable stage. But it was a long way to get there. I would like to share our experiences and insights in a hope that this will help other is their attempts to establish an open source business.

The basic rules of the early game are these: It all starts with an idea. Of course. You need to figure out something that is not yet there and people need it. That is the easy part. Then you have to prototype it. Even the brightest idea is almost worthless until it is implemented. You have to spend your own time and money to implement the prototype. You cannot expect anyone to commit the time or money to your project until you have a working prototype. So prepare for that - psychologically and financially. You will have to commit your savings, secure a loan or sacrifice your evenings and nights for approx. 6 months. If you spend less than that then the prototype is unlikely to be good enough to impress others. And you cannot have a really successful project without the support of others (I will get to that). Make sure that the prototype has proper open source license from day one, that it is published very early and that it follows open source best practice. Any attempt to twist and bend these rules is likely to backfire when you are at the most vulnerable.

Then comes the interesting part. Now you have two options. The choice that you make now will determine the future of your company for good. Therefore be very careful here. The options are:

Fast growth: Find an investor. This is actually very easy to do if you have a good idea, good prototype and you are a good leader. Investors are hungry for such start-up companies. You have to impress the investor. This is the reason why the prototype has to be good. If you started alone find an angel investor. If you already have a small team find a venture capitalist. They will give you money to grow the company. Quite a lot of money actually. But there is a catch. Or better to say a whole bunch of them. Firstly, the investor will take majority of shares in your company in exchange for the money. You will have to give away the control over the company. Secondly, you will need to bind yourself to the company for several years (this may be as long as 10 years in total sometimes). Which means you cannot leave without losing almost everything. And thirdly and most importantly: you must be able to declare that your company can grow at least ten times as big in less than three years. Which means that your idea must be super-bright ingenious thingy that really everyone desperately needs and it also needs to be cheap to produce, easy to sell and well-timed - which is obviously quite unlikely. Or you must be inflating the bubble. Be prepared that a good part of the investment will be burned to fuel marketing, not technology. You will most likely start paying attention to business issues and there will be no time left to play with the technology any more. Also be prepared that your company is likely to be sold to some mega-corporation if it happens to be successful - with you still inside the company and business handcuffs still on your hands. You will get your money in the end, but you will have almost no control over the company or the product.

Self-funded growth: Find more people like you. Show them the prototype and persuade them to work together. Let these people become your partners. They will get company shares in exchange of their work and/or money that they invest in the company. The financiers have a very fitting description for this kind of investment: FFF which means Friends, Family and Fools. This is the reason for the prototype to be good. You have to persuade people like you to sacrifice an arm and a leg to your project. They have to really believe in it. Use these FFF money to make a product out of your early prototype. This will take at least 1-2 years and there will be almost no income. Therefore prepare the money for this. Once you are past that state the crucial part comes: use your product to generate income. No, not sell the support or subscription or whatever. This is not going to work at this stage. Nobody will pay enough money for the product until it is well known and proven in practice. You have to use the product yourself. You have to eat your own dogfood. You have to capitalize on the benefits that the product brings, not on the product itself. Does your product provide some service? Set up a SaaS and provide the service for money. Sell your professional services and mix in your product as additional benefit. Sell a solution that contains your product. Does your product improve something (performance, efficiency)? Team up with the company that does this "something" and agree on sharing the revenue or savings generated by your product. And so on. You have to bring your own skin to the game. Use the early income to sustain product development. Do not expect any profit yet. Also spend some money and time on marketing. But most of the money still need to go to the technology. If the product works well then it will eventually attract attention. And then, only then, you will get enough money from subscriptions to fund the development and make profit. Be prepared that it can take 3-6 years to get to this stage. And a couple more years to repay your initial investment. This is a slow and patient business. In the end you will retain your control (or significant influence) over the product and company. But it is unlikely to ever make you a billionaire. Yet, it can make a decent living for you and your partners.

Theoretically there is also a middle way. But that depends on a reasonable investor. An investor that cares much more about the technology than he cares about money, valuations and market trends. And it this is extremely rare breed. You can also try crowdfunding. But this seems to work well only for popular consumer products that are not very common in the open source world. Therefore it looks like your practical options are either bubble or struggle.

And here is a couple of extra tips: Do not start with all-engineer team. You need at least one business person in the team. Someone that can sell your product or services. Someone that can actually operate the company. You also need one visionary in the team. Whatever approach you choose it is likely that your company reaches full potential in 8-12 years. Not any earlier. If you design your project just for the needs of today you are very likely to end up with an obsolete product before you can even capitalize on it. You also need a person that has his feet stable on the ground. The product needs to start working almost from the day one otherwise you will not be able to gain the momentum. Balancing the vision and the reality is the tough task. Also be prepared to rework parts of your system all the time. No design is ever perfect. Ignoring the refactoring needs and just sprint for the features will inevitably lead to development dead-end. You cannot afford that. That ruins all your investment.The software is never done. Software development never really ends. If it does end then the product itself is essentially dead. Plan for continuous and sustainable development pace during the entire lifetime of your company. Do not copy any existing product. Especially not other open source product. It is pointless. The existing product will always have a huge head start and you cannot realistically ever make that up unless the original team makes some huge mistake. If you need to do something similar than other project already does then team up with them. Or make a fork and start from that. If you really start on a green field you have to use a very unique approach to justify your very existence.

I really wish that someone explained this to me five years ago. We have chosen to follow the self-funded way of course. But we had to explore many business dead-ends to get there. It was not easy. But here we are, alive and well. Good times are ahead. And I hope that this description helps other teams that are just starting their companies. I wish them to have a much smoother start than we had.

(Reposted from https://www.evolveum.com/start-open-source-company/)

24 Oct 2014 1:23pm GMT