27 Apr 2015
The OAuth 2.0 Form Post Response Mode specification has been approved as a Final Specification by a vote of the OpenID Foundation members. A Final Specification provides intellectual property protections to implementers of the specification and is not subject to further revision. This specification defines how to return OAuth 2.0 Authorization Response parameters (including OpenID [...]
27 Apr 2015 8:50pm GMT
Pellentesque habitant morbi tristique senectus et netus et malesuada fames ac turpis egestas. Vestibulum tortor quam, feugiat vitae, ultricies eget, tempor sit amet, ante. Donec eu libero sit amet quam egestas semper. Aenean ultricies mi vitae est. Mauris placerat eleifend leo. Quisque sit amet est et sapien ullamcorper pharetra. Vestibulum erat wisi, condimentum sed, commodo vitae, ornare sit amet, wisi. Aenean fermentum, elit eget tincidunt condimentum, eros ipsum rutrum orci, sagittis tempus lacus enim ac dui. Donec non enim in turpis pulvinar facilisis. Ut felis. Praesent dapibus, neque id cursus faucibus, tortor neque egestas augue, eu vulputate magna eros eu…
27 Apr 2015 6:52pm GMT
MidPoint 3.1.1 was released few days ago. It is formally an update to the "Sinan" (midPoint 3.1). But this is actually quite a substantial release as the original goal of "small and quick" update started a life of its own. This is a lesson for us what can happen when a development is driven by customer requirements. Nevertheless, midPoint 3.1.1 release is here. And it is a good release.
MidPoint 3.1.1 builds on the previous release. The resource wizard and actually the entire user interface has usability improvements. The most significant improvement is addition of "lookup" object. This object can be used to define a set of legal values for a property that the user can choose from. It can be used to provide a list of employee types, role types, timezones, languages, etc. In accord with a midPoint philosophy this only needs to be specified once and all the midPoint components automatically adapt to it. This feature makes midPoint deployments even more efficient than before.
MidPoint 3.1.1 is a significant achievement and I want to thank all the Evolveum team members that made it possible. However I would like to express a special thanks to our contributors. It was during the development of midPoint 3.1.1 that we have noticed increased contributor activity. We appreciate every single contribution to the midPoint project, whether it is a simple bugfix, translation or a major feature. Therefore I would like to thank all the midPoint contributors regardless of what they have contributed. But there are two companies that deserve a special thanks: Biznet Bilişim and AMI Praha. They are part of midPoint community for a couple of years and they provide the energy for continued midPoint development.
It looks like the midPoint community is growing. MidPoint is no longer a technology that is created by Evolveum only. MidPoint is a true open source project that is a product of several cooperating companies. We also see increased customer interest in the technology that we have created together with our partners. I take this as a sign that word about midPoint has already spread far and wide enough for our project to make a mark on the IAM market. That was our initial goal: to make a difference. To improve the terrible state of established IDM technology. We are getting very close to achieving that goal. We have the technology to do that for some time already. But now we are also gaining the audience.
(Reposted from https://www.evolveum.com/midpoint-3-1-1/)
27 Apr 2015 3:03pm GMT
26 Apr 2015
So how many users do you think are on Gmail now? A quick Google search reveals roughly 500 million (that's about 1/8th of all email users in the world right now). So how many of them do you think use Google Contacts? … Continue reading →
26 Apr 2015 4:28am GMT
25 Apr 2015
About a third of the way into this movie I found myself thinking that film has become such a high art form, attracting so much talent the world over, that either we're going to run out of ideas or our heads … Continue reading →
25 Apr 2015 6:59am GMT
23 Apr 2015
23 Apr 2015 5:08pm GMT
This in an advertisement from Hyundai, but it has a really cool message. Enjoy!
23 Apr 2015 5:03am GMT
22 Apr 2015
I have been using the TSA PreCheck service since soon after its inception in 2011, without paying an enrollment fee, after being invited by US Airways to participate. This has allowed me to use the simpler and faster TSA PreCheck lane at airport security, rather than joining the majority of fliers in regular security lines. However a couple of weeks ago, [...]
22 Apr 2015 11:59pm GMT
（図１）OpenID Certified ロゴ 米OpenID® Foundationは現地時間22日、OpenID Connect実装適合性自己認証プログラムを発表しました。これは、OpenID Foundationが […]
22 Apr 2015 2:54pm GMT
21 Apr 2015
Privacy is hitting the headlines more than ever. Any of us could have our privacy violated at any time… but what does that mean exactly?
21 Apr 2015 5:30am GMT
19 Apr 2015
19 Apr 2015 3:56pm GMT
18 Apr 2015
17 Apr 2015
Forty five years ago today, the embattled crew of Apollo 13 safely returned home. Against great odds, aided by terrific ingenuity from crews on the ground and undoubtedly by divine providence, the Apollo 13 crew survived an oxygen tank explosion and resultant failure of other systems through improvisation, steely dedication and pure grit. I was just [...]
17 Apr 2015 2:57pm GMT
Google, Microsoft, Ping Identity, ForgeRock, Nomura Research Institute, and PayPal OpenID Connect Deployments First to Self-Certify Conformance RSA Conference 2015, San Francisco, CA - April 22, 2015 - Today the OpenID® Foundation introduced OpenID Connect Certification - a program that enables organizations to certify that their OpenID Connect implementations conform to specified profiles of the [...]
17 Apr 2015 1:00pm GMT
The OpenID 2.0 to OpenID Connect Migration specification has been approved as a Final Specification by a vote of the OpenID Foundation members. A Final Specification provides intellectual property protections to implementers of the specification and is not subject to further revision. This specification defines how to migrate from OpenID 2.0 to OpenID Connect. The [...]
17 Apr 2015 12:24am GMT
16 Apr 2015
Access Risk Management Blog | Courion
This is the second installment in a 3-part series that explores how intelligence improves identity & access management or IAM. In part 1, we looked at how intelligence improves the provisioning portion of IAM, which helps to ensure that the right people are getting the right access to the right resources. In this section, we'll look at how intelligence improves the governance portion of IAM, with a focus on validating that the right people currently have the right access to the right resources.
Governance is a verification process, essentially the QA portion of IAM. Many organizations use a manual certification process to verify access, which is essentially a large report that provides a list of users along with their associated access. The certification itself may be a paper-based tool or an electronic tool like Excel. Regardless of the medium, the process is essentially the same and the expectation is that reviewers will look at each user/access assignment and make an informed decision as to whether or not the granted access is appropriate. Depending upon company size, an average reviewer may be responsible for hundreds if not thousands of decisions. That sounds like fun, right? In addition to the fact that a certification is a lengthy, time-consuming process, it is also a mind-numbing exercise. It's no wonder certifications are relegated to an annual or perhaps a semi-annual punishment; pity the folks who tackle this on a quarterly basis. I wonder if anyone has ever collected any statistics that indicate a causal relationship between the scheduling of a company-wide certification and requested vacation days.
So, why do certifications at all? As painful as they may be, certifications serve an important security function; at least that's the intent - your mileage may differ. If you think of access to corporate resources as being somewhat analogous to having a set of keys to your house, don't you want to make sure you have tight control over who has a set of keys? Since the provisioning process incorporates a robust approval process, then why do we need to do periodic certifications on the back end? Haven't we already ensured that the access assignments are appropriate on the front end? Well, yes and no, but mostly no.
You've heard the adage, "the only constant in this world is change." Well, the average corporate environment exemplifies that sentiment. Corporations are dynamic entities. Corporate resources are often being added to or removed from the environment and the data that resides on those resources is constantly changing. Arguably, the most dynamic aspect of a corporation is the human resource component; employees come and go, they join and leave projects, change jobs and/or change departments. In addition, there are often contractors or temporary personnel, which adds another wrinkle to the situation. The limitation of verifying access only during provisioning is the fact that decisions are made in the moment, based upon one's knowledge of the circumstances that exist at that point in time.
However, as discussed above, circumstances change over time and a decision that was appropriate last year, last month or even yesterday may not be appropriate today. Therefore, a governance process is necessary in order to ensure that access assignments remain appropriate within a dynamic environment. In addition, the governance process must be thoughtfully executed in order to achieve its goal. Unfortunately, a governance process, devoid of intelligence, tends to devolve into a rubber-stamp exercise. Asking a reviewer to make decisions upon hundreds or thousands of access assignments that all feel similar in importance coupled with a reviewer's tendency to believe that the access assignments are probably already correct isn't a recipe for a strong governance cycle.
By contrast, IAM intelligence in the form of data analytics can make dramatic improvements to the governance process. Envision a certification that is no longer a flat list, but instead organized into sections based upon the degree of attention required of a reviewer. One section may contain all of the access a user has that is in complete alignment with the user's job title or equivalent to access provided to colleagues. This section probably needs little more than a cursory review.
However, another section may contain all of the resources that have been identified as highly sensitive, and a user having access to these resources requires a greater degree of scrutiny by a reviewer. Yet another section may identify access assignments that the intelligence engine, based upon configurable policies that reflect a corporation's business policies, has flagged as being questionable.
One such example is outlier access, which may be defined as an access assignment that differs by some degree from access that is held by a user's cohort group, such as others with the same job title or others in the same department. Such an intelligence-driven certification would focus a reviewer's attention on those items that matter most, perhaps even requiring multi-level certification based upon the sensitivity of the resource or the degree to which the access is an outlier.
Perhaps the most attractive aspect of intelligence-driven certifications is the potential to eliminate the need for an all-encompassing review altogether. Since the use of intelligence can segment access assignments into different groups based upon configurable criteria, why not use that intelligence as the basis for determining which access should be reviewed on an as needed basis? Sensitive resources can be reviewed on a monthly basis. Outlier access can be reviewed as soon as it is detected and the access can be removed immediately or approved for a given amount of time based upon configurable boundaries.
Intelligence-driven governance is a game-changer; identifying and organizing access assignments into questions that focus reviewers' attention on those things that matter most to the business. The use of intelligence changes the question from "Are all of these access assignments appropriate?" to questions like, "Should Bob have access to this server when he is the only one in the department with such access?", "Sue has access to this file share just like all of her colleagues, but she's the only one accessing it on the weekends, is that appropriate?" or "This resource has been identified as a highly-sensitive resource and average utilization of this resource has increased over the past week; in particular, Joe & Fred have shown a 200% increase for this resource, is that appropriate?"
In addition to the fact that the governance process can evolve from a high-level check to very specific queries, the addition of intelligence ensures that these specific questions are asked at the time the events are happening, such that anomalies can be addressed immediately before they become a catastrophe.
In my final installment of this 3-part series, we'll focus on the use of intelligence as a means to reduce risk.
16 Apr 2015 1:40pm GMT