27 Apr 2015

feedPlanet Identity

OpenID.net: Final OAuth 2.0 Form Post Response Mode Specification Approved

The OAuth 2.0 Form Post Response Mode specification has been approved as a Final Specification by a vote of the OpenID Foundation members. A Final Specification provides intellectual property protections to implementers of the specification and is not subject to further revision. This specification defines how to return OAuth 2.0 Authorization Response parameters (including OpenID [...]

27 Apr 2015 8:50pm GMT

Matthew Gertner - AllPeers: Lorem ipsum dolor sit amet

Pellentesque habitant morbi tristique senectus et netus et malesuada fames ac turpis egestas. Vestibulum tortor quam, feugiat vitae, ultricies eget, tempor sit amet, ante. Donec eu libero sit amet quam egestas semper. Aenean ultricies mi vitae est. Mauris placerat eleifend leo. Quisque sit amet est et sapien ullamcorper pharetra. Vestibulum erat wisi, condimentum sed, commodo vitae, ornare sit amet, wisi. Aenean fermentum, elit eget tincidunt condimentum, eros ipsum rutrum orci, sagittis tempus lacus enim ac dui. Donec non enim in turpis pulvinar facilisis. Ut felis. Praesent dapibus, neque id cursus faucibus, tortor neque egestas augue, eu vulputate magna eros eu…

The post Lorem ipsum dolor sit amet appeared first on All Peers.

27 Apr 2015 6:52pm GMT

Radovan Semančík - nLight: midPoint 3.1.1

MidPoint 3.1.1 was released few days ago. It is formally an update to the "Sinan" (midPoint 3.1). But this is actually quite a substantial release as the original goal of "small and quick" update started a life of its own. This is a lesson for us what can happen when a development is driven by customer requirements. Nevertheless, midPoint 3.1.1 release is here. And it is a good release.

MidPoint 3.1.1 builds on the previous release. The resource wizard and actually the entire user interface has usability improvements. The most significant improvement is addition of "lookup" object. This object can be used to define a set of legal values for a property that the user can choose from. It can be used to provide a list of employee types, role types, timezones, languages, etc. In accord with a midPoint philosophy this only needs to be specified once and all the midPoint components automatically adapt to it. This feature makes midPoint deployments even more efficient than before.

There is also a new support for Python scripting (in addition to Groovy, JavaScript/ECMAscript and XPath2). MidPoint reporting is significantly improved by much better integration with Jasper. There is also a bunch of smaller additions: workflow handlers are improved, there are slight policy improvements, there is a new validation API for complex GUI validations, etc. See the release notes for the details.

MidPoint 3.1.1 is a significant achievement and I want to thank all the Evolveum team members that made it possible. However I would like to express a special thanks to our contributors. It was during the development of midPoint 3.1.1 that we have noticed increased contributor activity. We appreciate every single contribution to the midPoint project, whether it is a simple bugfix, translation or a major feature. Therefore I would like to thank all the midPoint contributors regardless of what they have contributed. But there are two companies that deserve a special thanks: Biznet Bilişim and AMI Praha. They are part of midPoint community for a couple of years and they provide the energy for continued midPoint development.

It looks like the midPoint community is growing. MidPoint is no longer a technology that is created by Evolveum only. MidPoint is a true open source project that is a product of several cooperating companies. We also see increased customer interest in the technology that we have created together with our partners. I take this as a sign that word about midPoint has already spread far and wide enough for our project to make a mark on the IAM market. That was our initial goal: to make a difference. To improve the terrible state of established IDM technology. We are getting very close to achieving that goal. We have the technology to do that for some time already. But now we are also gaining the audience.

(Reposted from https://www.evolveum.com/midpoint-3-1-1/)

27 Apr 2015 3:03pm GMT

26 Apr 2015

feedPlanet Identity

Drummond Reed - Cordance: How to Specify the Email Address to Use in a Google Contacts Group

So how many users do you think are on Gmail now? A quick Google search reveals roughly 500 million (that's about 1/8th of all email users in the world right now). So how many of them do you think use Google Contacts? … Continue reading

26 Apr 2015 4:28am GMT

25 Apr 2015

feedPlanet Identity

Drummond Reed - Cordance: Ex Machina: One Very Fine Machine

About a third of the way into this movie I found myself thinking that film has become such a high art form, attracting so much talent the world over, that either we're going to run out of ideas or our heads … Continue reading

25 Apr 2015 6:59am GMT

23 Apr 2015

feedPlanet Identity

Rakesh Radhakrishnan: Fireeye, Firelayer & Firemon

Everything seems to be firedup now a days !! Similar to Cisco's Sourcefire, Fireamp and Firesight .. I was at a RSA party hosted by Fireeye on Tuesday next to the Moscone Center (W hotel), earlier I spoke to some folks at the Firelayer booth ( a cloud FW product that supports XACML) the same day. I knew extensively about Fireye and Firelayer already and their respective space.. however on my way back from the Fireye party, noted another party in the same hotel hosted by Firemon (a Fishnet Security spinoff)... Very interesting in terms of what they do to Manage (policies) and Monitor network firewalls -- read this whitepaper on the state of the art by predykot, that references Firemon and XACML.There were many presentations I enjoyed - Cisco had roughly 18 sessions in its booth on 18 topics, the one on Threat Analytics by Petr Cernohorsky was great, the one on Cisco ISE and TrustSec (network segmentation) was informative as well and the one by David McGrew (Cisco Fellow) on STIX COA (recommended course of action) was awesome. STIX facilitates auto generation of XACML policies (from a NPL to MPL to a DPL) as it identifies both resource attributes (that can map to any digital resource; IP address, domain, URL, URI, XMLobject, an end point, an application and more) and provides a set of recommended actions (which can map to XACML subject, resource and action attributes as well). The actions can be very coarse grained or fine grained too (block, tcp reset, quarantine, inspect, contain -to a VLAN, re-image, queisce, and more) from an end point and admission controls perspective (Cisco ISE), however it can also extend to URL black list, Domain black list, Attribute check (XML firewall), API check (API firewall), code check (Virtual Execution Environment), SQL statement checks (DB FW), re-authenticate, increase authentication assurance (MFA FIDO engine), and more depending on the resource (application, container, etc.,) accessed. The more I think about this the more value STIX IOC and STIX COA can have on dynamic XACML policies. Over and above the fact that XACML can expresses policies around ACL, CSV, RBAC, ABAC and TagBAC, it can also handle Threat IN based Policies (as exception policies which has an over ride function, within a policy combination algorithm). I also met Robin "Montana" Willaims from ISACA who nailed the fact that the people side of the problem and the cyber security training part of it is equally critical !

23 Apr 2015 5:08pm GMT

Mark Dixon - Oracle: A Message to Dad

This in an advertisement from Hyundai, but it has a really cool message. Enjoy!

23 Apr 2015 5:03am GMT

22 Apr 2015

feedPlanet Identity

Mark Dixon - Oracle: In Pursuit of a “Known Traveler Number”

I have been using the TSA PreCheck service since soon after its inception in 2011, without paying an enrollment fee, after being invited by US Airways to participate. This has allowed me to use the simpler and faster TSA PreCheck lane at airport security, rather than joining the majority of fliers in regular security lines. However a couple of weeks ago, [...]

22 Apr 2015 11:59pm GMT

Nat Sakimura: グーグル、マイクロソフト、ペイパル、野村総合研究所などの実装がOpenID Connect適合性試験に合格

(図1)OpenID Certified ロゴ 米OpenID® Foundationは現地時間22日、OpenID Connect実装適合性自己認証プログラムを発表しました。これは、OpenID Foundationが […]

22 Apr 2015 2:54pm GMT

21 Apr 2015

feedPlanet Identity

Christopher Allen - Alacrity: The Four Kinds of Privacy

Privacy is hitting the headlines more than ever. Any of us could have our privacy violated at any time… but what does that mean exactly?

21 Apr 2015 5:30am GMT

19 Apr 2015

feedPlanet Identity

Nat Sakimura: 【個人情報保護法改正】第三者提供記録義務について【Part 2】

さて、3/12に指摘した第三者提供記録義務[1]についてだが、その後4月1日に板倉弁護士にご紹介いただいた内閣官房IT室の方々にいろいろ教えていただいたのでそれを共有しておこうと思う。ちなみに、あくまで個人的に教えていた […]

19 Apr 2015 3:56pm GMT

18 Apr 2015

feedPlanet Identity

Kevin Marks:

Ooh, now I can post to my blog with micropub - thanks Kyle!

18 Apr 2015 7:50pm GMT

17 Apr 2015

feedPlanet Identity

Mark Dixon - Oracle: Welcome Home Apollo 13

Forty five years ago today, the embattled crew of Apollo 13 safely returned home. Against great odds, aided by terrific ingenuity from crews on the ground and undoubtedly by divine providence, the Apollo 13 crew survived an oxygen tank explosion and resultant failure of other systems through improvisation, steely dedication and pure grit. I was just [...]

17 Apr 2015 2:57pm GMT

OpenID.net: The OpenID Foundation Launches OpenID Connect Certification Program

Google, Microsoft, Ping Identity, ForgeRock, Nomura Research Institute, and PayPal OpenID Connect Deployments First to Self-Certify Conformance RSA Conference 2015, San Francisco, CA - April 22, 2015 - Today the OpenID® Foundation introduced OpenID Connect Certification - a program that enables organizations to certify that their OpenID Connect implementations conform to specified profiles of the [...]

17 Apr 2015 1:00pm GMT

OpenID.net: Final OpenID 2.0 to OpenID Connect Migration Specification Approved

The OpenID 2.0 to OpenID Connect Migration specification has been approved as a Final Specification by a vote of the OpenID Foundation members. A Final Specification provides intellectual property protections to implementers of the specification and is not subject to further revision. This specification defines how to migrate from OpenID 2.0 to OpenID Connect. The [...]

17 Apr 2015 12:24am GMT

16 Apr 2015

feedPlanet Identity

Courion: Intelligent IAM: Improving Governance Processes

Access Risk Management Blog | Courion

describe the imageThis is the second installment in a 3-part series that explores how intelligence improves identity & access management or IAM. In part 1, we looked at how intelligence improves the provisioning portion of IAM, which helps to ensure that the right people are getting the right access to the right resources. In this section, we'll look at how intelligence improves the governance portion of IAM, with a focus on validating that the right people currently have the right access to the right resources.

Governance is a verification process, essentially the QA portion of IAM. Many organizations use a manual certification process to verify access, which is essentially a large report that provides a list of users along with their associated access. The certification itself may be a paper-based tool or an electronic tool like Excel. Regardless of the medium, the process is essentially the same and the expectation is that reviewers will look at each user/access assignment and make an informed decision as to whether or not the granted access is appropriate. Depending upon company size, an average reviewer may be responsible for hundreds if not thousands of decisions. That sounds like fun, right? In addition to the fact that a certification is a lengthy, time-consuming process, it is also a mind-numbing exercise. It's no wonder certifications are relegated to an annual or perhaps a semi-annual punishment; pity the folks who tackle this on a quarterly basis. I wonder if anyone has ever collected any statistics that indicate a causal relationship between the scheduling of a company-wide certification and requested vacation days.

So, why do certifications at all? As painful as they may be, certifications serve an important security function; at least that's the intent - your mileage may differ. If you think of access to corporate resources as being somewhat analogous to having a set of keys to your house, don't you want to make sure you have tight control over who has a set of keys? Since the provisioning process incorporates a robust approval process, then why do we need to do periodic certifications on the back end? Haven't we already ensured that the access assignments are appropriate on the front end? Well, yes and no, but mostly no.

You've heard the adage, "the only constant in this world is change." Well, the average corporate environment exemplifies that sentiment. Corporations are dynamic entities. Corporate resources are often being added to or removed from the environment and the data that resides on those resources is constantly changing. Arguably, the most dynamic aspect of a corporation is the human resource component; employees come and go, they join and leave projects, change jobs and/or change departments. In addition, there are often contractors or temporary personnel, which adds another wrinkle to the situation. The limitation of verifying access only during provisioning is the fact that decisions are made in the moment, based upon one's knowledge of the circumstances that exist at that point in time.

However, as discussed above, circumstances change over time and a decision that was appropriate last year, last month or even yesterday may not be appropriate today. Therefore, a governance process is necessary in order to ensure that access assignments remain appropriate within a dynamic environment. In addition, the governance process must be thoughtfully executed in order to achieve its goal. Unfortunately, a governance process, devoid of intelligence, tends to devolve into a rubber-stamp exercise. Asking a reviewer to make decisions upon hundreds or thousands of access assignments that all feel similar in importance coupled with a reviewer's tendency to believe that the access assignments are probably already correct isn't a recipe for a strong governance cycle.

By contrast, IAM intelligence in the form of data analytics can make dramatic improvements to the governance process. Envision a certification that is no longer a flat list, but instead organized into sections based upon the degree of attention required of a reviewer. One section may contain all of the access a user has that is in complete alignment with the user's job title or equivalent to access provided to colleagues. This section probably needs little more than a cursory review.

However, another section may contain all of the resources that have been identified as highly sensitive, and a user having access to these resources requires a greater degree of scrutiny by a reviewer. Yet another section may identify access assignments that the intelligence engine, based upon configurable policies that reflect a corporation's business policies, has flagged as being questionable.

One such example is outlier access, which may be defined as an access assignment that differs by some degree from access that is held by a user's cohort group, such as others with the same job title or others in the same department. Such an intelligence-driven certification would focus a reviewer's attention on those items that matter most, perhaps even requiring multi-level certification based upon the sensitivity of the resource or the degree to which the access is an outlier.outlier access for Intelligent Governance Blog FINAL

Perhaps the most attractive aspect of intelligence-driven certifications is the potential to eliminate the need for an all-encompassing review altogether. Since the use of intelligence can segment access assignments into different groups based upon configurable criteria, why not use that intelligence as the basis for determining which access should be reviewed on an as needed basis? Sensitive resources can be reviewed on a monthly basis. Outlier access can be reviewed as soon as it is detected and the access can be removed immediately or approved for a given amount of time based upon configurable boundaries.

Intelligence-driven governance is a game-changer; identifying and organizing access assignments into questions that focus reviewers' attention on those things that matter most to the business. The use of intelligence changes the question from "Are all of these access assignments appropriate?" to questions like, "Should Bob have access to this server when he is the only one in the department with such access?", "Sue has access to this file share just like all of her colleagues, but she's the only one accessing it on the weekends, is that appropriate?" or "This resource has been identified as a highly-sensitive resource and average utilization of this resource has increased over the past week; in particular, Joe & Fred have shown a 200% increase for this resource, is that appropriate?"

In addition to the fact that the governance process can evolve from a high-level check to very specific queries, the addition of intelligence ensures that these specific questions are asked at the time the events are happening, such that anomalies can be addressed immediately before they become a catastrophe.

In my final installment of this 3-part series, we'll focus on the use of intelligence as a means to reduce risk.


16 Apr 2015 1:40pm GMT