Hitachi ID Systems Blogs

I just got a demo from our engineers of an integration they completed for a higher-ed customer. The customer is using a prominent ERP for higher ed and needed to send onboarding and deactivation requests, in real time, to our identity manager. This was to be done using an SPML gateway.

The demo went great – the web services gateway does, indeed, send messages to our system to provision and deactivate students, faculty and staff in real time. Everything works nicely, especially once our guys and the customer’s team worked through crashes in the J2EE app server hosting the software that sends messages to our system.

Did I mention that J2EE sucks and major J2EE servers are crashy junk? Lets leave that for another day.

Just one hitch: when I had a look at the message format, I discovered that while the message envelope was indeed SPML, the message body was not. Indeed, the message body was clear and human-legible, something nobody would accuse SPML of. There are plenty of sample SPML messages out there (google for SPML example if you’re curious) but the key point is that they are nasty, overburdened XML not suitable for human eyes.

Our friendly higher-ed ERP vendor clearly wanted (a) to be seen as a leader adopting standard protocols, such as SPML and (b) to deliver a developer-friendly, legible web service. (a) and (b) are not compatible, so they seem to have found a sneaky way to do both – use the header from SPML but send nice content in the body.

Nice.

We had to write a bit of custom code to parse the message body, but hey – it wasn’t anything like the spaghetti required to parse real SPML, so no complaints.

This is the first time we’ve ever had an actual, honest-to-goodness use case for SPML at a living customer – not a demo for an analyst firm or trade show, so I thought we’d get to exercise more of the standard. I guessed wrong.

SPML *could* be used to manage security in an app, but I’ve yet to meet an app that supports inbound SPML instead of a proprietary API.

SPML *could* be used to notify a user provisioning system of events in a system of record (as happened in our deployment here), in real time, but I’ve yet to meet an application that does that using actual SPML message bodies.

I guess SPML is so ugly that a bunch of cloud vendors invented a simpler alternative – SCIM (simplecloud.info/). I don’t think there is anything particularly “cloud” about SCIM – it’s just that the people pushing it are SaaS vendors and the word “cloud” is sexy these days.

Hopefully SCIM succeeds where SPML failed – perhaps by having a clear schema and simple syntax that humans can read unaided.

Here’s to hoping.

– Idan

Lovely news today – a massive loss due to unauthorized trading at UBS:

http://www.reuters.com/article/2011/09/15/us-ubs-idUSTRE78E15I20110915

I find this one more distressing than the last time this happened, at Societe General, for a couple of reasons:

1) Didn’t anyone learn anything from the last incident?
2) UBS? Seriously? I bank with these guys!

The solutions to prevent this sort of thing are both technical and business ones.

The technical solutions are good controls over access to sensitive systems, including segregation of duties policy enforcement, to ensure that it takes at least two people to do something stupid.

Of course, I’m biased – we make software that can help with the technical part of the fix.

The business part is more contentious, but perhaps more important. I think part of the problem with controls is the ridiculous volume of transactions that investment banks make, hoping to turn a profit on super-fast trades and arbitrage. I don’t think that stuff actually does the economy at large any good — it’s just a part of the casino mentality in the financial industry. One rule I’d impose, if I magically got the power to do so tomorrow, would be to force entities who purchase any kind of financial instrument to hold it for a while. Say for an hour. Or a day.

That doesn’t sound like a big deal to anyone who is a retail investor, but I bet it sends cold shivers down the spine of big institutional investors. What? I can’t buy some stock and sell it again 20 milliseconds later? You’re kidding?

Oh well. I can’t fix the business problems, so I’ll stick to making technology that helps enforce some basic controls: privileged access management, session recording, segregation of duties enforcement, access certification, approvals workflows, etc. You know, the easy stuff.

– Idan

I got a tablet a while back, and I’ve been thinking about what it means for the IT business. This has taken on more significance in light of HP’s announcement that they will exit the tablet and phone businesses.

What I notice with the tablet is that while it’s a convenient device for consuming media – watching movies and TV shows, listening to music, browsing a few web pages, playing simple games, etc. — the user experience is brutal when I try to input text.

I think I’ve gotten pretty good at using the capacitive touch screen for text input on both the tablet and my (very large screen) phone. Still, I doubt I could sustain more than about 3 words per minute of text input into these things. By comparison, once upon a time, probably 20 years ago, I clocked myself at 120 words per minute of text input using a keyboard.

So for me, a keyboard is about 40 times more effective than a touch screen. If I have more than a few words to enter, I’ll reach for the PC or laptop, thank you very much. My pain threshold for glacial user input just isn’t that high.

So the tablet is basically a media consuming device. A step up from a portable DVD player, if you will. Doesn’t that make it more or less equivalent to a television, where we all sit on the couch, numbly consuming dumbed-down content? I think the analogy is pretty compelling.

To imagine where tablets will go in the future, look no further than the evolution of TVs. They sold (and continue to sell) like hotcakes. Millions of units shipped every year. Fancy technology (think huge LCD flat screens, 3D TV, etc.) all dedicated to pushing visually stunning but largely dumbed down content to numb consumers.

Whereas a PC is an interactive device where people actually contribute something — you know, write documents, send e-mails, heck – even play interactive games with their friends — TVs are just numbing. I think the portable version of a PC is a laptop, and the portable version of a TV is a tablet.

This means that tablets will continue to be a huge commerical success for their manufacturers, but their social impact will resemble that of the TV…

As for the “business use” of tablets … what business use? Reading e-mails on the go? Watching movies while flying to a sales meeting? I think business users want tablets-as-toys, and the “business use” of tablets is just a made up justification to get the company to buy the toy. Maybe I’m just cynical.

I think this even impacts the “Web 2.0″ movement. Remember that? It was supposed to mean that users contribute content to the web – rather than just reading static web pages. I think tablets are not “Web 2.0 compatible” — they are really “Web 1.0″ devices.

Funny, that.

Interesting news today about Google buying Motorola’s mobile products division:

http://investor.google.com/releases/2011/0815.html

So what does this mean and who should care?

First, why would Google buy Motorola Mobility? I tend to agree with other opinions out there, that this was basically a purchase of a patent portfolio and a mobile products company was attached to the deal but wasn’t the real target. I don’t think Google is particularly interested in the company they just bought — they wanted a war chest of patents.

There is a patent war brewing in the mobile phone market and Google needed the ammunition to threaten Apple and Microsoft with counter-suits as they became increasingly litigous.

Of course, Google will try to keep Motorola Mobility profitable, to help pay for their acquisition of a bunch of patents.

This just highlights the foolishness of software / business method patents. They are incredibly wasteful of capital and add nothing to the economy. Google had to spend $12B to add no shareholder or customer value, just to defend themselves against a bunch of pointless lawsuits.

So what happens next?

First, it seems reasonable to assume that Google will want to continue to nurture its Android partner ecosystem. These partners will be understandably worried now that their OS supplier will compete with them in the hardware space. That’s quite the unfair advantage.

Google doesn’t want to scare off the Android ecosystem, so they will presumably run the acquired company independently of the main Google corporation. It will probably have no special advantages (such as early access to new OS versions) as compared to other Android partners. Google can then transfer the patents from this new subsidiary or organizational unit to its Android business unit, to be used as a defensive asset.

I would expect Google to use the patents to help defend its existing Android partners against suits by Apple, Microsoft and others. Google partners actually benefit from today’s transaction in that sense.

Does this mean that the formerly-Motorola business unit will continue with business as usual? Probably not quite. I would think that Google will make phones that are less full of crappy third party add-ons and “enhancements.” I would expect to see a clean OS and a clean UI on new Motorola phones, probably starting to show up in 6-12 months.

I don’t think Google is interested in the relatively small revenue streams generated by pre-installing junk and teaser software on phones. They are much more interested in a healthy Android ecosystem, which will drive future revenue growth on their ad platform, as more people search for more content from their phones. Google strikes me as a company with a long-term strategy, willing to sacrifice short-term revenue to win the long-term game.

This can only be good for users, especially as the other phone manufacturers are forced to clean up their OS distributions and stop filling their phones with junk, in order to compete with new Google/Motorola phones that have a cleaned up UI.

Presumably this is bad for Apple on at least two fronts:

• Google and other Android partners can counter-sue Apple for patent infringement, effectively neutering their Apple’s strategy.
• Google will force the entire Android ecosystem to make more user friendly phones, with fewer annoying add-ons, making any UI advantage Apple might enjoy today, at least as compared to non-rooted Android phones, disappear.

Apple may continue with a litigation-heavy strategy to compete with Android, in which case they will likely get shot down, or they may change strategies and focus on innovation instead. That would be better for everyone, including Apple.

Now that Google has bought Motorola, will Microsoft follow suit and buy RIM or Nokia? There is certainly buzz about that and both of those stocks bounced today.

Microsoft hasn’t traditionally been (a) acquisitive or (b) interested in the hardware business. They already have an extensive patent portfolio, so they can’t be too interested in RIM or Nokia’s patent portfolios. My bet is that they don’t make any acquisitions in response to today’s news, especially not RIM, whose platform is not really compatible with Microsoft’s future direction.

Interesting times we live in, but at least today the consumer came out as the big winner.

The big trend these days seems to be the use of consumer computing devices (smart phones, tablets, etc.) in the enterprise. Bring Your Own Device or BYOD for short.

On the one hand, I get it. Users want a particular device and as more and more apps move to a web UI, they actually can use their device as the web browser. Really – a typical corporate user needs MS Office or equivalent, a web browser, an IM client maybe, access to filesystems and e-mail. Even my phone can do that stuff. Why shouldn’t I be able to use my phone anyways? Users don’t want multiple devices for multiple applications either. If they already have an iPhone, or their own laptop they don’t want to lug that *and* a corporate device on their trips.

The problem with this is risk management. Sure, the user’s own device is compatible, but how does the corporation know that there isn’t a keylogger installed on it, leaking corporate passwords and other data? How can the corporation be assured that the device’s filesystem is encrypted, so that if it’s lost or stolen, there isn’t data loss? How do they know that the user’s PC doesn’t have a virus installed on it, which will propagate as soon as it’s plugged into the corporate network. These are pretty serious risks, that users don’t seem to really understand.

It seems to me that BYOD should, to comply with audit and regulatory requirements, go hand in hand with some basic requirements:

* Make the device stateless, or at least keep all the corporate data in a VM, whose configuration (including filesystem crypto) is managed.
* Require users to run some sort of anti-malware code on their device, to prevent basic attacks like keyloggers.
* Require users and IT to collaborate in ensuring that consumer devices meet these requirements.
* Absolve IT from supporting the device, beyond this vetting process.

Are users willing to live with these constraints? I honestly don’t know, but they seem pretty foundational to me.

OK, so this is nothing to do with IAM, but it’s interesting nonetheless.

http://physics.ucsd.edu/do-the-math/2011/07/galactic-scale-energy/

In this post, Tom Murphy points out, quite rightly, that continuing economic growth implies continuing growth in the energy use of society. Continuing energy use means (a) we run into physical limits in the amount of energy we can harvest and (b) we heat the earth to unliveable temperatures.

He’s right of course – nothing is forever – so the real question is: “how much longer can we continue to grow the world economy?”

I wish I knew.

Check this out – it’s an analysis of the compromised password databases at Sony and Gawker. Very cool breakdown of how users choose passwords, at least when not constrained by a policy engine:

http://www.troyhunt.com/2011/07/science-of-password-selection.html

Just watch Sony to find out!

• http://uk.kotaku.com/5798510/the-playstation-network-hack-timeline
• http://www.scribd.com/doc/55861914/The-Sony-Playstation-Credit-Card-Hack-Infographic
• http://money.canoe.ca/money/business/canada/archives/2011/05/20110525-082505.html
• http://www.washingtonpost.com/blogs/faster-forward/post/lulzsec-releases-sony-data/2011/06/02/AGGcLWHH_blog.html

Can you say pattern? I know you can!

– Idan

When RSA originally announced their security breach, they were quite circumspect about what exactly was stolen. There was lots of conjecture flying around, but nobody knew for sure, because RSA wasn’t saying much.

The RSA announcement was here:

http://www.rsa.com/node.aspx?id=3872

What set the industry abuzz was the suspicion that:

• The attacks were carried out by state actors, not just random criminals.
• The attacks compromised key material used in the RSA SecurID token authentication process.
• This key material could be used, by a reasonably sophisticated attacker, to impersonate a legitimate user in an organization that relies on RSA SecurID tokens.

Nobody knew for sure, but this seemed like a strong possibility and a dangerous one at that.

Today we started getting confirmation that this exact scenario is what has been playing out. Lockheed Martin, one of the largest US military contractors, is reporting ongoing attacks related to RSA tokens, which are typically deployed to authenticate remote users in their VPN connections.

http://www.nytimes.com/2011/05/28/business/28hack.html

So if reports are to be believed – and where there’s smoke there is usually a fire – then it’s likely that a state actor (probably China) first compromised RSA to acquire key material for all RSA tokens everywhere, then used this data to construct fake tokens and attack user accounts at interesting organizations, including US military contractors.

If your organization uses RSA tokens, then you presumably deployed them to increase the security of remote user connections to your network from a somewhat complex single factor (a password) to two factors, consisting of evidence that the user physically posesses his token plus an even simpler knowledge-based factor (typically a 4 digit PIN).

What you actually got, however, now that the key material was breached, was a change from a single, moderately complex password to a single, definitely simple, PIN. The token part can be impersonated, by at least one foreign entity. Your adversary also has to figure out which token is associated with which of your users, and apparently they are using phishing to figure this out.

So what to do?

Clearly, the RSA tokens should be replaced. I imagine RSA will be offering replacement tokens based on different key material. I wouldn’t go there, however, since the basic problem with this architecture is that there is a single point of failure — RSA — and that’s a very tempting target for powerful adversaries.

To RSA’s competitors — do your architectures also have this weakness? Unless you can demonstrate that your tokens don’t aggregate risk in the same way, then you are guilty by association…

Perhaps another token solution? Or smart cards, if you have pervasive readers? Or combination smart-card/token devices, if you don’t have card readers everywhere, or one of several mechanisms that leverage user mobile phones as an authentication factor?

All of these make sense — choose the one that works for you.

Heck, going back to just passwords, but making them strong ones and authenticating the endpoint (i.e., is this the same PC that my user usually signs on from?) would be better than the RSA tokens at this point. More convenient for end users too.

Whatever you do, think about risk aggregation. Maybe that’s the new motto for authentication technologies.

– Idan

Someone recently asked me what trends I could see in the kinds of authentication used by medium to large organizations. I thought I’d share my response here – it might be of general interest.

First, I’d like to say that despite every prognostication for years now that we’ll be moving away from passwords Real Soon Now, what I see in the real world is more and more passwords.

This is not to say that organizations aren’t evolving – it’s just that nothing is as cost effective or well understood as passwords. Yes, passwords have security and usability problems, but consider the alternatives:

* Biometrics: you typically need extra hardware at the user’s device plus no matter which biometric you choose, some user will be unable to use it (no hands, no fingers, unable to scan finger print, unable to get retinal image, etc. etc.)

* One time password tokens: extra hardware for the organization to purchase and distribute, extra junk for users to carry around, serious boundary condition problems when a user loses his token or leaves it at home plus the recent debacle at RSA.

* Smart cards: same problems as tokens plus more difficult integration and readers required at the endpoint. Ever tried to use a smart card with an app you sign into from your smart phone? Moreover, smart cards carry a PKI certificate payload, so organizations have to stand up and manage a PKI too. That’s tons of fun.

* Mobile phone as authentication factor: increasingly popular, but often as a backup authentication factor, rather than a primary, because it’s still more of a nuisance to users than just a password.

So what’s changing? The big change I see is user location and endpoint device authentication. Sites like facebook check to see not only that I typed the correct password, but also that I’m signing on from a computer they have seen me use before. If not, they’ll ask me to take extra steps, such as recognizing the faces of my friends and/or answering some personal questions. I think this trend is definitely on the upswing.

What else? More and more web sites are supporting federated authentication. I can sign into the airport Wifi using my facebook or yahoo accounts, for example. That’s the new pattern – never mind registering for each and every site (newspapers? stores? airports? coffee shops?). Just use your e-mail or social networking ID on most sites, maybe except for things like the bank which are held to a higher security standsard.

And for those organizations that have already deployed tokens or smart cards – I see some of them retiring the technology and going back to passwords. Seriously? Yes. The integration and cost of ownership issues have turned out to be too high for many organizations, and when the economic times are tough, the “cool but hard to use and costly to support” technology goes out the window.

So who is still using smart cards and PKI? Government. That’s about it, really. Private sector organizations are just not going there in any serious way.

And who is using OTP? Fewer and fewer organizations. Mobile phones turn out to be a more user friendly option.

So aren’t we less secure, if everyone reverts to passwords?

Maybe, but first we can mitigate the security problems with passwords — you know, have fewer of them (synchronization and federation come to mind here) and make sure that they are robust, hard-to-guess passwords. And make sure nobody can compromise the password database itself, because that’s how massive exploits happen.

And that’s my $0.02 for today.