Hitachi ID Systems Blogs

For those of you who don’t follow Canadian politics, there has been an interesting story developing in the past week. It’s quite illustrative of the direction that public discourse about privacy and security seems to be taking in the Internet age.

The story begins with the current federal government, which calls itself conservative, bringing forward a bill that would enable police to demand logs from public ISPs, without a warrant. Basically warrantless wiretapping for the digital age, at least in certain circumstances.

Click for the actual bill

It’s interesting to see a “conservative” government promote such legislation — they are clearly torn between libertarian impulses (small government) and law-and-order impulses (heavy-handed police powers). It’s not at all clear that their caucus is uniformly in support of this bill.

Incidentally, the offending bit of language appears to be this:

“487.11 A peace officer, or a public officer who has been appointed or designated to administer or enforce any federal or provincial law and whose duties include the enforcement of this or any other Act of Parliament, may, in the course of his or her duties, exercise any of the powers described in subsection 487(1) or 492.1(1) without a warrant if the conditions for obtaining a warrant exist but by reason of exigent circumstances it would be impracticable to obtain a warrant.”

Really? Under what “exigent circumstances” could it conceivably be “impracticable” to obtain a warrant to violate the privacy of a citizen?

Anyways, the story gets more interesting from there, and this is where the intersection of privacy and politics really comes up:

First, Vic Toews, the minister in charge of this dubious legislation stoops to the following assertion in Parliament: “you stand with us or with the pedophiles.” You just have to expect some negative response when you use language like that! The bill has nothing to do with children, incidentally.

So no surprise – a storm of public indignation. Mr. Toews cheerfully renames the bill to “Protecting Children from Internet Predators Act” but nobody buys this weak attempt at spin.

Next, some twitter accounts show up. Notably two:

• One divulging all sorts of tawdry details about Mr. Toews’ recent divorce: Vikileaks30
• One where Canadians share all sorts of inane details from their personal lives, to illustrate the point that the government has no business intruding in this manner, especially without a warrant: #TellVicEverything

So some citizen has access to personal details about Mr. Toews’ divorce and is using it to embarass the minister in an effort to push back against this proposed bit of legislation.

So that’s it, right? Social networking vs. politics?

Not quite.

First, it turns out that the Twitter account is being updated by someone inside Parliament: Ottawa citizen investigative report

The Citizen used a honeypot to lure the genius posting these Twitter messages. The person behind Vikileaks30 is almost certainly one of the newly elected NDP members — many of whom are little more than children, elected by Quebecers who wanted “anything but the static quo” during the last election.

In a final bit of irony it seems that:

• Mr. Toews’ divorce was triggered at least in part by two affairs over multiple years, one of which led to a child.
• At least one of the affairs was with a much younger woman and at least one (the same?) was with his childrens’ babysitter.

This last is rich — Mr. Toews is a vocal social conservative, making public noises about the sanctity of heterosexual marriage — but has an affair. He relabels the current bill “Protecting Children from Internet Predators Act” but has sex with his own childrens’ babysitter, who is of course much younger than himself. Does hypocrisy know no bounds?

So that’s it. The modern face of privacy and politics:

• Politicians are dirty — both the NDP operative behind Vikileaks30 and Mr. Toews.
• Politicians talk a good game — ethics and decorum in parliament, protecting children, sanctity of marriage, etc. but practice something entirely different.
• Legislation relating to privacy, intellectual property, Internet throttling, wireless spectrum access and more is very much on the public agenda, and is in no way obscure legalese that the public doesn’t care about.
• Even a majority government has to listen to citizens, or risk their wrath at the polls next time around.
• The opposition seems to be effective in the short term, leveraging public media and exposing dirty laundry, but they are also nasty and ugly, and may be punished for those characteristics on the next poll.

An amusing graphic that everyone could benefit from:

(click on link to see the picture)

Does your organization do business in Europe? Sell any products or services to EU citizens?

If so, you’ll want to watch developments regarding a refresh to the EU privacy directive. There is a proposal to turn it into a uniform regulation (at least it will be the same in all 27 countries!) but also to make it quite onerous (100 pages of text?), to make compliance more onerous and to make incidents where privacy was compromised very expensive.

Read more here:

Official page with the proposal

Discussion of the changes

My take is that compliance will get quite expensive.

– Idan

Just read this:

windowsteamblog.com

Looks like Microsoft is going to use Windows Update to push out a “patch” that finally drives a nail into the coffin of IE6/IE7. Hooray! The world will be a better place with that ancient piece of junk gone. Just think of all the HTML and CSS hacks that we can all retire.

It used to be that nobody in their right mind would connect mission critical SCADA systems to the Internet. That was certainly the “accepted best practice” many years ago when I used to do pen tests.

It seems that some people these days place convenience over security, and the result is predictable: hacked SCADA systems and disruption to physical infrastructure.

Attack on City Water Station Destroys Pump

Given the fun the Iranians have been having with Stuxnet, you’d think people would be smarter than that…

I just came home from San Diego, where I was at Gartner’s Identity and Access Management conference.

A good event, actually. Lots of smart people in one place, all passionate about identity and access management and sharing their real-world experiences.

One session that really struck a chord for me was Ian Glazer’s talk titled “Developing a Business-Centric Identity and Access Management Strategy.” This may seem self-serving, but it struck a chord because a lot of what he was saying was so closely aligned with what we’ve been doing here at Hitachi ID for some time.

For example, he proposes an incremental approach to identity management projects, which we also recommend. I think that’s pretty widely accepted these days. “Boil the ocean” never worked for anyone, in IT or other disciplines.

More importantly, he offers a nice, practical way to help organizations figure out how to break down their monolithic identity management objectives into bite-sized pieces. Basically get your stake-holders to sit down together and fill in a worksheet with the following columns:

• Constituent:
• Kind
• Source of truth
• Opportunity for life cycle automation
• Life cycle event
• Target system:
• Name
• Value
• Fulfillment volume

This is very similar to what we already do in workshops that we hold with customers before starting an engagement. Our terminology is slightly different, but basically it boils down to:

• User community (e.g., US employees or EU contractors, etc.
• Data source (e.g., HR, contractor database, manager input, etc.
• Data quality and timeliness (e.g., is HR providing data early enough to trigger automation?
• Change type (e.g., hire, move, fire, etc.)
• Volume (e.g., how often does this change happen?
• Application (e.g., where does the organization want to create, modify or delete access?
• Impact (e.g., how important is it to get these changes made quickly?

Do you see the similarity? It’s almost identical! Gotta love it when different practitioners arrive at the same solution.

We work with customers to collect this information and prioritize. Ian structures this stuff in a table and each row is a potential deliverable, organized into a priority sequence. Nice and clear!

But there’s more! Ian was promoting the value of an “entitlement catalog.” I’ve been convinced for some time that it’s important to assign human-legible descriptions, help links and meta data to groups, accounts, roles and other resources assigned to users. The list of these objects and their meta data are exactly Ian’s entitlement catalog.

Enough similarity? No! Ian also gives a nice and clear model of manual vs. automatic processes. He structures it as follows:

• Lifecycle Events
• Access Policy Management
• Fulfillmente
• Identity repository
• Entitlement catalog

This maps 1:1 to our own terminology:

• Requests portal (a.k.a. manual input of lifecycle events).
• Automatic administration engine (a.k.a. automatic input of lifecycle events from an HR feed or similar).
• Approvals workflow (a.k.a. manual access policy).
• SoD and other automated policy checks (a.k.a. automatic access policy).
• Transaction manager and connectors (a.k.a. automatic fulfillment).
• Implementers workflow (a.k.a. manual fulfillment).
• Profile attributes (a.k.a. identity repository).
• Resource attributes (a.k.a. entitlement catalog).

Man. A love-fest with Ian Glazer?

Well, that would be just a bit too weird, so I have to disagree with him on at least one thing!

Ian suggests that “Access Governance” should be decoupled from “Identity Administration.”

I agree with the need for almost all the functions in both of these buckets, but these two sets of features share so much data (remember the identity repository and entitlement catalog? policy stores? change history?). Whenever two products share a ton of data the natural question to ask is: “are they really two products, or just multiple features in the same product?” I think these features should actually live in a single product for just this reason. Plus customers expect connectors with their “governance” user interface and portal. Customers expect a usable request portal, approvals process and access certification with their connectors. I think customer expectations are reasonable.

That’s why our Identity Manager includes:

• Auto-discovery of identity and entitlement data on the applications where it already exists.
• Connectors to create, modify and delete users and entitlements.
• Automation to create workflow requests as a consequence of detected changes.
• A web portal for users to access one-anothers’ profiles and submit workflow requests interactively.
• Policy engines for things like SoD checks and approvals routing.
• Roles for simplified entitlement definitions.
• Workflow processes to invite human beings to implement approved changes.
• Workflow processes and screens to invite human beings to review and certify or remediate entitlements.
• Reports and dashboards to monitor all of that.

How is this different from Ian’s model? It’s all in a single product, with a single back-end database, a single UI and a uniform set of processes. I think the market will follow us in this integrated direction. The decoupling between “access governance” and “user provisioning” should be conceptual, not technical.

Just in time for Halloween and definitely worth a read:

Dark reading.

https://www.grc.com/haystack.htm

I noticed an advertisement in an in-flight magazine yesterday. It was for an HP tablet. I checked the magazine – it was dated September. Just think: this ad was purchased by HP very recently, and in the very short time between advertising purchase and when I picked up the magazine, HP dumped its inventory for $100/unit and killed off the whole division.

The dichotomy between normal time-lines for print advertising and the pace at which IT companies are forced to make and execute on major, strategic decisions couldn’t have been more clearly illustrated.

Amazing.

I had the pleasure of upgrading the OS on my laptop the other day. And I use the term pleasure very loosely, because I had to move around about 150GB or data – so much fun.

Anyways, I was not surprised to see that the most recent patchlevel of VMWare Workstation 6.5.x didn’t want to install on my new OS. That’s been my experience with VMWare over the past few years – doesn’t work out of the box on Ubuntu. Insert grumbling noises.

A google search didn’t turn up anything, and it was a weekend job, so I just left it.

Good thing too – turns out that while nobody has published a patch to VMWare Workstation 6.5.5 for a 64-bit install of Ubuntu 11.04, one of the guys at work had already done the work. He asked to remain slightly anonymous – but I’ll share his initials – JN. Nice work JN.

So in case you are reading this and wanting to install VMWare Workstation 6.5.5 on Ubuntu 11.04 64-bit, please try this patch:

hitachi-id.com/largedocs/patches/vmware655onUbuntuNatty.zip

And everyone say thank you to JN for making it (a) work and (b) easy.

– Idan