21 Jul 2014

feedPlanet Identity

Katasoft: Hosted Login for Modern Web Apps

Hosted Login from Stormpath

It's no big secret: if you're not using SaaS products to build your next great app, you're wasting a lot of time.

Seasoned web developers have learned to solve common (i.e. annoying) problems with packaged solutions. If you're really badass, your latest app is a symphony of amazing services, not a monolithic codebase that suffers from Not Invented Here.

But I'm gonna put money on this: you're still building your login and registration forms from scratch and maintaining your own user database.

Why do we build login from scratch?

I have a few hypotheses on this, but one always seems to be true: user systems are the first thing we do after we master the Todo demo app. It's fun, it's a feature and we feel like we've accomplished something. Eventually we learn that there are a lot of things you can get wrong:

  • Storing passwords in a database, in plaintext
  • Giving users a cookie session that never expires
  • Building a crappy (or nonexistent!) password reset flow, to the ire of the support team
  • Storing the entire user object in application memory in order to improve page times

I could go on, but you already know. We commit these sins in the spirit of Ship It!.

Sometimes we use a framework like Rails, Express or Django and avoid most of these pitfalls by using their configurable user components. But we're trying to get to App Nirvana, we want fewer concrete dependencies, less configuration, fewer resources to provision.

Login as a Service

What if you could send your user to a magical place, where they prove their identity and return to you authenticated?

Announcing Hosted Login - our latest offering from Stormpath!

With Hosted Login you simply redirect the user to a Stormpath-hosted login page, powered by our ID Site service. We handle all the authentication and send users back to your application with an Identity Assertion. This assertion contains all the information you need to get on with your business logic.

And the best part? Very minimal contact with your backend application. In fact, just two lines of code (using our SDKs):

  • One to create the URL which takes the user to the hosted login screen
  • One that parses the identity assertion when they return to your application

And with that.. your entire user system is now completely service-oriented. No more framework mashing, no more resource provisioning. Oh, did we mention that's beautiful as well? That's right: if you don't want to do any frontend work either, you can just use our default screens:

Screenshot

What problems does it solve?

Hosted Login solves a lot of the problems that are sacrificed in the name of Ship It, plus a few you may not have thought of:

  • Security best practices (HTTPS for all components, enterprise grade security on our backend)
  • Complete flows for registration, verification, login, and password reset
  • Social login for Google and Facebook
  • No provisioning or securing your database

Customization

While we provide default screens for hosted login, you can fully customize your user experience. Just create a Github repository for your ID Site assets and give us the Github URL! We'll import the files into our CDN for fast access and serve your custom login pages instead of our default.

To customize your hosted login pages, you'll want to use Stormpath.js, a small library that I've written just for this purpose. It gives you easy access to the API for ID Site and at ~5k minified it won't break the bank.

For more information on this feature please refer to our in-depth document: Using Stormpath's ID Site to Host your User Management UI

We'd love to know how you find Hosted Login! Feel free to tweet us at @gostormpath or contact me directly via robert@stormpath.com

21 Jul 2014 3:00pm GMT

Kaliya Hamlin - Identity Woman: Resources for HopeX Talk.

I accepted an invitation from Aestetix to present with him at HopeX (10). It was a follow-on talk to his Hope 9 presentation that was on #nymwars. He is on the volunteer staff of the HopeX conference and was on the press team that helped handle all the press that came for the Ellsberg - [...]
No related posts.

21 Jul 2014 2:51pm GMT

Courion: Extending IAM into the Cloud

Access Risk Management Blog | Courion

describe the imageYour data is everywhere. And so are your applications. In the past, everything resided in the data center, but today they're stored in the cloud, by a partner (MSP), and even running on mobile devices.

Your customers, partners and employees are also everywhere. As a security professional, you need to ensure that the right people have access to the right data and are doing the right things with it. That's where Intelligent Identity Access Management comes in. But in the era of cloud-computing, who knows where the data physically resides? And with users and accounts spread around the globe, how can you ensure the data is being accessed by the right people, according to your policies? Again, that's where Intelligent Identity Access Management is crucial.

If your data were just centrally located and being accessed by individuals and devices that you manage, traditional IAM solutions work well. But that's probably not the case. You have data in internal and outsourced systems. Some of the outsourced systems may be wholly controlled by your contracts, while others may be shared among thousands of other organizations. And that data is being accessed by employees, partners and customers from their homes, phones and tablets, on planes trains and automobiles.

From a security perspective, it's imperative to provision, govern and monitor information access wherever that information resides and however it's being accessed, whether those are physically in your IT environment or in the cloud. So what are your options?

Options for Provisioning, Governance and Monitoring in the Cloud

Two obvious questions are "where's my IAM solution?" and "where's my data?" After all, both must reside somewhere and be secured. If we constrain the answers to those questions to "on premise" or "in the cloud", we have four options.

1. Host internally, manage internal applications

Traditional IAM solutions reside on IT managed hardware within an enterprise. They're typically located in a server room where they can be physically controlled by IT. They are configured to manage applications that also reside on servers physically controlled by IT. This is a largely closed system, with the administrative control and the application resources both co-located within IT. It makes security simpler, but in the era of cloud computing, is becoming increasingly rare.

2. Host internally, manage internal and cloud-based applications

As enterprise applications have migrated outside of the data center, the need to manage those applications has fallen to traditional IAM solutions. IAM vendors like Courion have evolved their suites to natively connect to cloud-based systems from an on premise administration point. Existing "connector libraries" have been extended to include connectors to cloud-based systems. These new connectors sit side-by-side with existing on premise connectors and reach out to cloud applications.

This evolution has been largely seamless, as the same architecture used for managing internal resources has been applied to external, cloud-based resources. The protocols change, like using SOAP over HTTP rather than files over SMB, or RESTful web services rather than SOAP, but the architecture and techniques survived.

3. Host in the cloud, manage internal and cloud-based applications

Just as enterprise applications are now hosted in the cloud, there is increasing interest in hosting security systems in the cloud. This enables enterprises to focus on their core competencies rather than security management and identity management, while at the same time optimizing CapEx for OpEx expenditures.

Early experiments are promising, with IAM solutions providing tunneling capabilities from cloud-based infrastructure. Tunneling can be through VPNs, reverse proxies or dedicated appliances. Over time, this will likely become the preferred deployment option.

4. Host in the cloud; manage cloud-based applications

If an enterprise has no data in house, then a pure cloud-based solution is ideal. Operating on Office 365 + SalesForce + ADP, a cloud-based IAM solution can effectively provision and govern cloud-based applications. This scenario eliminates the complexity and cost of network tunneling solutions since everything is natively in the cloud. Here, the protocols are rapidly standardizing on RESTFul web services, with common token-based security and federation. However, like the all-internal scenario, all-cloud environments are rare.

Hybrid - the viable solution

Of these options, only two are typically feasible, since most organizations have some data on premise and some in the cloud. There are exceptions, like a startup which is native-cloud or in certain government situations, but in general, a hybrid solution is required. Choosing between the 2nd and 3rd option described above, whether you host your IAM solution in the cloud or host it internally, comes down to a deployment choice.

Courion has customers who are doing each. Most run our IAM solution on premise, while some use deployment in the cloud. For cloud deployments, most choose private cloud infrastructure, while some go for public infrastructure. But the predominant approach, even in 2014, is to deploy on premise. This is chiefly because most data still resides locally, so most applications reside locally, tilting the equation to an internally hosted IAM solution. As more enterprise applications migrate to the cloud, the decision to host the Courion suite in the cloud will likely shift.

Unlike enterprise data however, people have already shifted to the cloud. Mobile devices, from phones to tablets, are the norm. Most organizations provide secure access to critical systems on a 7x24 basis, to individuals located on premise and on the go. So parts of your IAM infrastructure must be either in the cloud, or on the edge (DMZ).

Again, Courion solutions are well suited for this shift. The most common security transaction, other than login, is the humble Password Reset. This must be accessible from anywhere and must be very reliable. It's required from the road, at night, on weekends and 2 minutes before the big sales presentation. Courion customers have hosted their password reset infrastructure in the DMZ for exactly this purpose. In addition, the Courion suite is tooled with a clean interface so customers, partners and employees are met with a consumer-grade experience, accessible on their laptop, tablet or phone.

As your data and apps move to the cloud, so do your identity repositories and access control models, as mentioned earlier. Your IAM solution can span both, but it's still advantageous to consolidate identities and provide a more seamless and simple sign on experience for customers, partners and employees. Enter Ping Identity, another cloud app that integrates with Courion solutions. Just as we expanded to cloud apps as they entered the business, a strong partnership allows for seamless integration with Ping to offer federation and SSO capabilities.

Single Sign On (SSO) impacts the decision of where to deploy an IAM solution. While IAM can provision, govern and monitor access applications in cloud-based and on premise environments, SSO systems provide seamless application login and access to the user community. By coupling the flexibility of Courion's industry leading IAM solution with the SSO and federation capabilities of Ping, organizations can manage access across all of their applications. Because both products leverage a common structure with Active Directory, the result is great experience for the end user and a manageable system for IT.

Conclusion

As the computing world shifts to the cloud, with consumer-grade technology leading the enterprise, our customers, partners and employees expect great access to information. As security professionals, our job is to balance "great" access with "secure" access. We make choices every day in choosing the solutions we deploy and the infrastructure on which it resides. Courion is here to help.

blog.courion.com

21 Jul 2014 2:12pm GMT

Ludovic Poitou - ForgeRock: What we build at ForgeRock…

Since I've started working at ForgeRock, I've had hard times to explain to my non-technical relatives and friends, what we were building. But those days are over. Thanks to our Marketing department, I can now refer them to our "ForgeRock Story" video :Filed under: Identity Tagged: ForgeRock, iam, identity, IRM, opensource, security, video

21 Jul 2014 10:43am GMT

Julian Bond: Apparently the CMax II is for sale.

Apparently the CMax II is for sale.
http://bikeweb.com/files/images/cmax%20leaves%203%20small.preview.jpg

Sale details here. http://bikeweb.com/node/2909
Bike details here: http://bikeweb.com/image/tid/114

T-Max III, Volvo seat, occasional 2 seater and large luggage area. Faster (maybe!), safer, warmer, more comfortable than a conventional T-Max.

Not sure I can afford it. It's likely to be priced to reflect the work rather than cheap because it's unusual.
bikeweb.com/files/images/cmax%20leaves%203%20small.preview.jpg »

[from: Google+ Posts]

21 Jul 2014 9:35am GMT

19 Jul 2014

feedPlanet Identity

Eve Maler: A new identity relationship

I've been writing on this blog about identity and relationships for a long time (some samples…). Now I've forged (see what I did there?) a new relationship, and have joined ForgeRock's Office of the CTO. Check out my first post on the ForgeRock blog. I'm really psyched about this company and my new opportunities to make cool Identity Relationship Management progress there. And I've found a lot of fellow rock 'n' rollers and Scotch drinkers in residence too - apparently that's something […]
Read more

19 Jul 2014 6:25pm GMT

Anil John: What are KBA Metrics?

What are the steps to identity proofing and potential metrics associated with each?

19 Jul 2014 1:15pm GMT

Julian Bond:

19 Jul 2014 8:12am GMT

18 Jul 2014

feedPlanet Identity

ForgeRock: The care and feeding of online relationships

I'm really excited to join ForgeRock! ForgeRock is doing amazing work around identity relationship management, and relationships - secure, identity-enabled, privacy-respecting, data-sharing, network-connected - are near and dear to my heart. (You didn't think I was talking about Tinder, did you?) My new role involves driving innovation for the ForgeRock...

The post The care and feeding of online relationships appeared first on ForgeRock.

18 Jul 2014 6:32pm GMT

Kuppinger Cole: 05.02.2015: Cloud Compliance & Datenschutz

In KuppingerCole

Dieses Seminar vermittelt Ihnen die grundlegenden und brachenspezifischen Regelungen für Ihre Cloud-Strategie und informiert Sie über die heutigen und künftigen Anforderungen an Datensicherheit und Datenschutz.

Sie tragen Verantwortung für die Planung, Einführung und das Management von Cloud Services in Ihrem Unternehmen? Dann wird dieses Seminar alle Ihre offenen Fragen zum Thema Compliance und Datenschutz beantworten.
more

18 Jul 2014 4:50pm GMT

Julian Bond: I hate it when good services on the internet go dark and disappear.

I hate it when good services on the internet go dark and disappear.

There used to be a wonderful tool for exploring music space at http://audiomap.tuneglue.net/ It gathered data from last.fm and Discogs about related artists and presented it in a Java applet spider diagram.

Now it redirects to an EMI Hosting holding page and that sucks.

There's analternative one here http://www.liveplasma.com/ that's not bad but it's not the same.
EMI Hosting »

[from: Google+ Posts]

18 Jul 2014 4:43pm GMT

Kuppinger Cole: 13.11.2014: Cloud Compliance & Datenschutz

In KuppingerCole

Dieses Seminar vermittelt Ihnen die grundlegenden und brachenspezifischen Regelungen für Ihre Cloud-Strategie und informiert Sie über die heutigen und künftigen Anforderungen an Datensicherheit und Datenschutz.

Sie tragen Verantwortung für die Planung, Einführung und das Management von Cloud Services in Ihrem Unternehmen? Dann wird dieses Seminar alle Ihre offenen Fragen zum Thema Compliance und Datenschutz beantworten.
more

18 Jul 2014 4:42pm GMT

Kuppinger Cole: 02.02.2015: Big Data für die Informationssicherheit

In KuppingerCole

Realtime Security Analytics: Worauf Sie beim Einstieg achten müssen.

Erhalten Sie einen Überblick zur Echtzeit-Überwachung mit Hilfe von Big Data Tools und lernen Sie wie Sie die datenschutzrechtlichen Regulatorien im Kontext der Netzwerküberwachung einhalten.
more

18 Jul 2014 4:22pm GMT

Kuppinger Cole: 12.11.2014: Big Data für die Informationssicherheit

In KuppingerCole

Realtime Security Analytics: Worauf Sie beim Einstieg achten müssen.

Erhalten Sie einen Überblick zur Echtzeit-Überwachung mit Hilfe von Big Data Tools und lernen Sie wie Sie die datenschutzrechtlichen Regulatorien im Kontext der Netzwerküberwachung einhalten.
more

18 Jul 2014 4:05pm GMT

Kuppinger Cole: What’s the deal with the IBM/Apple deal?

In Alexei Balaganski

So, unless you've been hiding under a rock this week, you've definitely heard about a historical global partnership deal forged between IBM and Apple this Tuesday. The whole Internet's been abuzz for the last few days, discussing what long-term benefits the partnership will bring to both parties, as well as guessing who will be the competitors that will suffer the most from it.

Different publications would name Microsoft, Google, Oracle, SAP, Salesforce and even Blackberry as the companies that the deal was primary targeted against. Well, at least for BlackBerry this could indeed be one of the last nails in the coffin, as their shares have plummeted after the announcement and the trend seems to be long-term. IBM's and Apple's shares rose unsurprisingly, however, financial analysts don't seem to be too impressed (in fact, some recommend selling IBM stocks). This is, however, not the point of my post.

Apple and IBM have a history of bitter rivalry. 30 years ago, when Apple unveiled their legendary Big Brother commercial, it was a tiny contender against IBM's domination on the PC market. How times have changed! Apple has since grown into the largest player on mobile device market with market capitalization several times larger than IBM's. IBM has sold their PC hardware business to Lenovo years ago and is currently concentrated on enterprise software, cloud infrastructure and big data analytics and consulting businesses. So, they are no competitors anymore, but can we really consider them equal partners? Apple's cash reserves continue to grow, and IBM's revenues have been declining over the last two years. After losing a $600M contract with US government to AWS last year, a partnership with Apple is a welcome change for them.

So, what's in this deal, anyway? In short, it includes the following:

  • IBM introduces its enterprise software and services platform, as well as a set of over 100 industry-specific enterprise apps specifically designed and optimized for Apple devices. The newly announced MobileFirst platform is technically based on IBM's existing MaaS360 mobile device management platform and BlueMix, a service development platform for IBM cloud, but newly packaged and optimized specifically for iOS 8.
  • With IBM's help, Apple's existing customer support service AppleCare will be extended to the enterprise customers. IBM will take over the support services for their Apple-tailored enterprise solutions, as well as provide on-site support for iOS and Mac devices.
  • IBM will become Apple's first worldwide distributor and reseller, offering procurement and reselling of devices, security and activation, and other managed services.

For Apple, this deal marks their renewed attempt to get a better hold of the enterprise market. It's well known that Apple has never been successful in this, and whether it was because of ignoring enterprise needs or simply because of inability to develop the necessary services in-house, can be debated. This time, however, Apple is bringing a partner with a lot of experience and a large portfolio of existing enterprise services (notorious, however for their consistently bad user experience). Could an exclusive combination of a new shiny mobile UI with a proven third party backend finally change the market situation in Apple's favor? Personally, I'm somewhat skeptical: although a better user experience does increase productivity and would be a welcome change for many enterprises, we're still far away from a mobile-only world, and UI consistency across mobile and desktop platforms is a more important factor than a shiny design. In any case, the biggest thing that matters for Apple is the possibility to sell more devices.

For IBM the deal looks even less transparent. Granted, we do not know the financial details, but judging by how vehemently their announcement stated that they are "not just a channel partner for Apple", many analysts do suspect that reselling Apple devices could be a substantial part of IBM's profit from the partnership. Another important point is, of course, that IBM cannot afford to maintain a truly exclusive iOS-only platform. Sure, iOS is still a dominant platform on the market, but its share is far from 100%. Actually, it is already decreasing and will probably continue to decrease in the future, as other platforms will gain their market shares. Android's been growing steadily during the last year, and it's definitely too early to dismiss Windows Phone (remember how people were trying to dismiss Xbox years ago?). So, IBM must continue to support all other platforms with their products such as MaaS360 and can only rely on additional services to support the notion of iOS exclusivity. In any case, the partnership will definitely bring new revenue from consulting, support and cloud services, however it's not easy to say how much Apple will actually contribute to that.

So, what about the competitors? One thing that at least several publications seem to ignore is that those companies that are supposed to suffer from the new partnership are operating on several completely different markets and comparing them to each other is like comparing apples to oranges.

For example, Apple does not need IBM's assistance to trump BlackBerry as a rival mobile device vendor. But applying the same logic to Microsoft's Windows phone platform would be a big mistake. Surely, their current share in the mobile hardware market is quite small (not on every market, by the way: in Germany they have over 10% and growing), but to claim that Apple/IBM will drive Microsoft out of enterprise service business is simply ridiculous. In fact, Microsoft is a dominant player there with products like Office 365 and Azure Active Directory and it's not going anywhere yet.

Apparently, SAP CEO Bill McDermott isn't too worried about the deal as well. SAP is already offering 300 enterprise apps for iOS Platform and claims to be years ahead of its competitors in the area of analytics software.

As for Google - well, they do not make money from selling mobile devices. Everything Google does is designed to lure more users into their online ecosystem, and although Android is an important part of their strategy, it's by no means the only one. Google services are just as readily available on Apple devices, after all.

Anyway, the most important question we should ask isn't about Apple's or IBM's, but about our own strategies. Does the new IBM/Apple partnership has enough impact to make an organization reconsider its current MDM, BYOD or security strategy? And the answer is obviously "no". BYOD is by definition heterogeneous and any solution deployed by an organization for managing mobile devices (and more importantly, access to corporate information from those devices) that's locked on a single platform is simply not a viable option. Good design may be good business, but it is not the most important factor when the business is primarily about enterprise information management.

18 Jul 2014 10:58am GMT

Kuppinger Cole: Executive View: Symantec.cloud Security Services - 70926

In KuppingerCole

Symantec was founded in 1982 and has evolved to become one of the world's largest software companies with more than 18,500 employees in more than 50 countries. Symantec provides a wide range of software and services covering security, storage and systems management for IT systems. Symantec has a very strong reputation in the field of IT security that has been built around its technology and experience. While Symantec has a wide range of security...
more

18 Jul 2014 9:23am GMT