NSTIC Update

24.09.2012 by Craig Burton

National Institute of Standards and Technology awards $9M to support trusted identity initiative

Introduction

On September 20, 2012, the National Institute of Standards and Technology (NIST) announced more than 9 million USD dollars of grant awards in support of the National Strategy for Trusted Identities in Cyberspace (NSTIC).

The grants were awarded to five consortiums. All of the big. All of them representing different views and technologies with strong focus on identity, security, and trust.

NSTIC Background

While many identity and security professionals are familiar with the Obama administrations NSTIC program, many international professionals are not. In order to address all of KuppingerCole’s constituents, some background information is useful.

The impetus for the NSTIC policy move by the Obama Administration is part of the Cyberspace Policy Review published in June 2009. The administration appointed Howard Schmidtin a new Cyber Security Coordinator position. Schmidt is a well-known security expert and is experienced in international security policies and technologies.

On Tuesday, December 22, 2009, Schmidt was named as the United States’ top computer security advisor to President Barack Obama. Previously, Schmidt served as a cyber-adviser in President George W. Bush’s White House and has served as chief security strategist for the US CERT Partners Program for the National Cyber Security Division through Carnegie Mellon University, in support of the Department of Homeland Security. He has served as vice president and chief information security officer and chief security strategist for eBay.

Prior to joining the Obama Administration, Schmidt served as President of the Information Security Forum and President and CEO of R & H Security Consulting LLC, which he founded in May 2005.He was also the international president of the Information Systems Security Association and a board member of the Finnish security company Codenomicon, the American security company Fortify Software, and the International Information Systems Security Certification Consortium,commonly known as (ISC)². In October 2008 he was named one of the 50 most influential people in business IT by readers and editors of Baseline Magazine.

Source: Wikipedia

Under Schmidt’s direction and managed by NIST, the first draft of NSTIC was published in draft form in June of 2010. The draft received much criticism for the lack of privacy protection for individuals and the size of the role played by the government. A final draft was rewritten and published in May of 2011. In the final draft, the role of the government was reduced and privacy issues were addressed.

The stated objectives of the NSTIC initiative are:

NSTIC is a White House initiative to work collaboratively with the private sector, advocacy groups and public-sector agencies. The selected pilot proposals advance the NSTIC vision that individuals and organizations adopt secure, efficient, easy-to-use, and interoperable identity credentials to access online services in a way that promotes confidence, privacy, choice and innovation.
“Increasing confidence in online transactions fosters innovation and economic growth,” said Under Secretary of Commerce for Standards and Technology and NIST Director Patrick Gallagher. “These investments in the development of identity solutions will help protect our citizens from identity theft and other types of fraud, while helping our businesses, especially small businesses, reduce their costs.”
NSTIC envisions an “Identity Ecosystem” in which technologies, policies and consensus-based standards support greater trust and security when individuals, businesses and other organizations conduct sensitive transactions online.
The pilots span multiple sectors, including health care, online media, retail, banking, higher education, and state and local government and will test and demonstrate new solutions, models or frameworks that do not exist in the marketplace today.

The Announcement

As expected, NIST picked big consortiums with big ideas for identity and trust across a broad spectrum on technologies and market segments. Here is what the basics are about its choices for the consortiums:

“These five pilots take the vision and principles embodied in the NSTIC and translate them directly into solutions that will be deployed into the marketplace,” said Jeremy Grant, senior executive advisor for identity management and head of the NSTIC National Program Office, which is led by NIST. “By clearly aligning with core NSTIC guiding principles and directly addressing known barriers to the adoption of the Identity Ecosystem, the pilot projects will both promote innovation in online identity management and inform the important work of the Identity Ecosystem Steering Group.”

The grantees of the pilot awards are:

The American Association of Motor Vehicle Administrators (AAMVA) (Va.): $1,621,803
AAMVA will lead a consortium of private industry and government partners to implement and pilot the Cross Sector Digital Identity Initiative (CSDII). The goal of this initiative is to produce a secure online identity ecosystem that will lead to safer transactions by enhancing privacy and reducing the risk of fraud in online commerce. In addition to AAMVA, the CSDII pilot participants include the Commonwealth of Virginia Department of Motor Vehicles, Biometric Signature ID, CA Technologies, Microsoft and AT&T.
Criterion Systems (Va.): $1,977,732
The Criterion pilot will allow consumers to selectively share shopping and other preferences and information to both reduce fraud and enhance the user experience. It will enable convenient, secure and privacy-enhancing online transactions for consumers, including access to Web services from leading identity service providers; seller login to online auction services; access to financial services at Broadridge; improved supply chain management at General Electric; and first-response management at various government agencies and health care service providers. The Criterion team includes ID/DataWeb, AOL Corp., LexisNexis®, Risk Solutions, Experian, Ping Identity Corp., CA Technologies, PacificEast, Wave Systems Corp., Internet2 Consortium/In-Common Federation, and Fixmo Inc.
Daon, Inc. (Va.): $1,821,520
The Daon pilot will demonstrate how senior citizens and all consumers can benefit from a digitally connected, consumer friendly Identity Ecosystem that enables consistent, trusted interactions with multiple parties online that will reduce fraud and enhance privacy. The pilot will employ user-friendly identity solutions that leverage smart mobile devices (smartphones/tablets) to maximize consumer choice and usability. Pilot team members include AARP, PayPal, Purdue University, and the American Association of Airport Executives.
Resilient Network Systems, Inc. (Calif.): $1,999,371
The Resilient pilot seeks to demonstrate that sensitive health and education transactions on the Internet can earn patient and parent trust by using a Trust Network built around privacy-enhancing encryption technology to provide secure, multifactor, on-demand identity proofing and authentication across multiple sectors. Resilient will partner with the American Medical Association, Aetna, the American College of Cardiology, ActiveHealth Management, Medicity, LexisNexis, NaviNet, the San Diego Beacon eHealth Community, Gorge Health Connect, the Kantara Initiative, and the National eHealth Collaborative.
In the education sector, Resilient will demonstrate secure Family Educational Rights and Privacy Act (FERPA) and Children’s Online Privacy Protection Act (COPPA)-compliant access to online learning for children. Resilient will partner with the National Laboratory for Education Transformation, LexisNexis, Neustar, Knowledge Factor, Authentify Inc., Riverside Unified School District, Santa Cruz County Office of Education, and the Kantara Initiative to provide secure, but privacy-enhancing verification of children, parents, teachers and staff, as well as verification of parent-child relationships.
University Corporation for Advanced Internet Development (UCAID) (Mich.): $1,840,263
UCAID, known publicly as Internet2, intends to build a consistent and robust privacy infrastructure through common attributes; user-effective privacy managers; anonymous credentials; and Internet2′s InCommon Identity Federation service; and to encourage the use of multifactor authentication and other technologies. Internet2′s partners include the Carnegie Mellon and Brown University computer science departments, University of Texas, the Massachusetts Institute of Technology, and the University of Utah. The intent is for the research and education community to create tools to help individuals preserve privacy and a scalable privacy infrastructure that can serve a broader community, and add value to the nation’s identity ecosystem.

High Level Analysis

In terms of government initiatives, NSTIC has been moving at lightning speed. Jeremy Grant has been a proactive advocate of the initiative and is articulate and capable leader. It shows from the choices of these consortiums and their constituents.

At the same time—9 million dollars spread across five initiatives; each with many mouths to feed—does not go very far and can be used up very quickly. It will be interesting to see how far each will proceed over the next twelve months. I chose 12 months because I can’t see how the money awarded to each group will last much longer than that.

Each group will need to put a plan together and execute in that time frame if they are to survive.

Over the next short period, we will take a closer look at each initiative, what their respective architectures look like, and what the specific objectives are in their roles in the identity ecosystem outlined my NIST.

Of course, I will be paying special attention to what each consortium has planned as an API Economy strategy. Each will need to have a solid API design that gives all of the other groups API access to all of the services through both the Web Services legacy (SOAP) and the emerging API Economy imperative (RESTful).

If each group does not have a solid SOAP/RESTful API strategy, they simply will not succeed—either individually or as a whole.

I know it sounds strange coming from me that an organization should continue embracing the SOAP legacy, but there are just too many government and non-profit organizations that cannot afford to jump to the real world quickly and must continue carrying the burden of the past. So it is sometimes.

Of course there are many more issues involved with success of this initiative beyond APIs, these issues will be covered more in depth in subsequent KuppingerCole reports and activities at the EIC Conference in May 2013.

Nonetheless, we see this movement by the NIST of granting these award as positive and will have reverberating impact on the Identity community—across the glove—for the good for some time to come.


Salesforce Identity

21.09.2012 by Craig Burton

Identity Management as a Service (IdMaaS) gets a new 500lb guerilla

Introduction

When I first heard of Salesforce’s Identity announcements this week at Dreamforce, I was reminded of the old joke “Q:Where does a 500lb. gorilla sit? A: Anywhere he wants.”

Salesforce Identity makes Salesforce the new 500lb gorilla in the Digital Identity jungle.

Announcement Details

You can read the basic details of the announcement on Chuck Mortimore’s blog. Here is a quick summary:

What is Salesforce Identity?

Salesforce Identity provides Identity and Access Management (IAM) services for Web and mobile applications, delivered through the simplicity, transparency, and trust of the Salesforce Platform.

  • For users, Salesforce Identity means no more frustration juggling passwords for each application. Login once and seamlessly access all your applications and data using Single Sign-On from a single, social Identity.
  • Administrators gain control and flexibility over access to applications by automating identity and access management processes through the simplicity you’ve come to expect from Salesforce.
  • CIOs can leverage existing authentication investments, while gaining control and peace-of-mind over your cloud investments via centralized reporting and deprovisioning.
  • Developers can build Web, mobile or tablet applications on the Salesforce Platform or on any third-party platform through simple standards based integration.
  • ISVs can tap into the power and distribution of AppExchange and Login with Salesforce regardless of where their app runs, be that Force.com, Heroku, mobile, or any other cloud.

High Level Analysis

I find is so fascinating that the laggard in joining the Cloud Computing parade—Microsoft—was the first to announce an IdMaaS initiative in a very low key understated way. And that the leader in the SaaS movement—Salesforce—shouts its IdMaaS strategy from the rooftops at its mainstream technology conference with Marc Benioff leading as the main spokesperson. It so underlines how clueless Steve Ballmer is to the issues facing Microsoft and its customers.

Identity, and solving the problem of Identity in a Cambrian Explosion of Everything is job 1.

  • There are some people at Microsoft that know this. This does not include Steve Ballmer.
  • As of today, everybody at Salesforce knows it and can’t avoid it. Marc Benioff made the announcement and outlined the vision for Identity in Salesforce’s future.

Putting it another way, the Computing Troika—Cloud Computing, Mobile Computing, and Social Computing—have forced to surface the issue of digital identity being the keystone technology issue for everything.

Without a tractable implementation of identity for the entire industry to use—think IdMaaS—all entrances to the future of computing collapse—the identity keystone holds it all together.

With Salesforce entering the IdMaaS business with its substantial vision, leadership and technology resources cannot help but have a positive effect for everyone in the long term.

Of course we will have to wait and see exactly what Salesforce delivers in the initial IdMaaS implementation, but Chuck Mortimore has an impeccable track record and knows his stuff.

I am impressed and will follow up after more information is available.


SAML is Dead! Long Live SAML!

19.09.2012 by Craig Burton

Answers to the unanswered questions from the webinar

Introduction

Last Friday on Sept. 14, Pamela Dingle—Sr. Technical Architect from Ping Identity Corp.—and I conducted a free webinar about the much ballyhooed demise of SAML.

You can view the webinar in its entirety on the KuppingerCole website.

To us, the best measurement of interest in any given webinar is the drop off rate. Just how many people drop off during the presentation? We were very pleased in the interest of the topic for the number of attendees and for that fact that no one dropped off from the presentation and Q&A.

However, we did not have the time to answer all of the questions presented. The following is a sequence of questions and answers that were left open.

It could be a little disorienting to read this Q&A if you didn’t attend the webinar, I recommend watching the webinar first to avoid any confusion or misunderstanding.

Webinar Questions and Answers

Q: Since the organizations are still not migrated entirely to API, i.e. still we have web browser based applications. So my question is instead of implementing different solutions one for browser based applications and one for API. Do you suggest a common way to support both the users? Thanks

A: Using APIs does not preclude using the browser to access the information and resources provided by the API. In fact, using the browser for API access is quite common. The sub context of this presentation is that it is not limited to the request-response browser model that we know and love for traditional applications. We are now moving beyond the model to an interactive model.

Q: As a follow up these companies could help us “leap frog” to newer protocols very quickly much like some countries skip the notion of “land line” because it’s easier to deploy cellular.

A: Great metaphor. Indeed the combination of RESTful API interface (HTTP), OAuth, JSON, UMA, SCIM, and webhooks are the technologies that I think are the leapfrog technologies.

Q: Many companies are outsourcing IT functions to outside providers, at what point do we just take this to the n-th degree and just let an org like Google or Apple handle identity for us? Is that too scary?

A: I think the answer lies in a simple question, is it the vendor that manages your identity your customer, or are you their customer. If the answer is the latter, it is very scary indeed. As long as we have the expectation of having Identity Management be free, and act as customers of the vendors that provide that service, they will be monetizing our identities to pay for the service. It will be up to the corporation or individual to choose which direction to take.

Q: What about devices not directly linked to people? I.e. do you have numbers that include the Internet of Things?

A: I tried to keep the numbers focused and understandable. Including inanimate and non-digitized items just increases the whole argument. Look for more info on numbers in future conversations.

Q: Have you considered the impact of the availability of global identities on the problem you sketched?

A: I don’t think the availability of a global identity reduces any of the issues in the arguments. Global identities—assuming it will ever happen—just compounds the problem.

Q: Ok, Craig, how do you deal w/ 2.8B identities – who numbers them? Who vets them? What fraud is possible? What is the metasystem – and does it really matter whether it is OAuth/SAML/OpenID?

A: This is a multipart question and I will answer them in turn. First off it is 28 billion and not 2.8. 1). Different organizations—both open and private—will number these entities. 2). Some of them will be vetted and some not. This becomes a big problem we are still grappling with, especially when no single Identity Provider can even be considered to be the validation resource for even a fraction of the entities we are talking about. Look for more information on Trust Frameworks to understand more on this topic. 3). Yes, fraud is possible. Fraud will always be an issue. It needs to be minimized. I think we are on an encouraging course to resolve these matters. 4). The only Metasystem proposed so far is the Identity Management as a Service architecture being designed by Kim Cameron at Microsoft in the form of Azure Active Directory. 5). Finally, in the end the protocols won’t matter just as the argument of CSMA vs Token Ring no longer matters. We will simply moved up the stack. It gets a little more complicated at this level because there are no more layers in the stack to move up to. This is all layer 7 stuff. Layer 7.5?

Q: Will you to be talking about this at IIW 15?

A: I am registered for IIW 15 and plan to attend. I will coordinate with Pamela to see if we can repeat this session during the conference.

Q: Just want to echo Pam’s point that the combinatorial explosion is over estimate. Not all users & devices will connect to all services. The real world ecosystems sees users congregate in niches.

A: I think the combinatorial explosion is an underestimate. Pam’s soft pedaling of the numbers are still staggering. If you recall, she thought that most organizations could look at the provisioning of devices in the 1000s or 10s of thousands. OK. To date, anything over 150 starts to create huge administrative overhead. This is not going to go away or be minimalized by downplaying what has already happened. 400M iOS devices alone. The numbers are staggering.

Conclusion

Thanks for the great questions and participation. I look forward to seeing people at IIW. I encourage anyone who attended this conference to attend IIW and the EIC next May in Munich.


Identity in a Post-PC Era

17.09.2012 by Craig Burton

How 400M iOS devices changes everything

Most of the planet at least paid a little bit of attention to the announcement of the iPhone 5 on Sept. 12th. The anticipation for the announcement was so high, that sales of the iPhone 4 and iPhone 4s actually dipped some in the last quarter.

While I like all of the things Apple has done with the new iPhone — and I have already ordered mine — I found the other information given at the announcement to be astounding.

The numbers — presented in the keynote by CEO Tim Cook — were more than just significant. Especially when viewed from the perspective of the KuppingerCole API Economy Axioms.

These axioms are based on The API Economy phenomena that is occurring at the same time and the computing troika trends—cloud, social and mobile computing.

The KuppingerCole API Axioms

  1. Everyone and everything will be API-enabled
  2. The API Ecosystem is core to any cloud strategy
  3. Baking core competency in an API-set is an economic imperative
  4. Enterprise inside-out
  5. Enterprise outside-in

Axiom #1: Everything and Everyone will be API-enabled

Understanding the first axiom is straight forward. KuppingerCole envisions that everyone — meaning all entities not just people — and everything — even non-smart objects — will be API-enabled. It is also understood that being API-enabled necessarily requires at least one identity for everyone and everything. And in reality, almost everyone will have multiple personas and relevant identifiers and therefore multiple identities.

Now that I have set the context with Axiom #1, let’s look at what Mr. Cook talked about.

He first gave us the total number of iOS devices to date. I knew the total was large but I had no idea just how large. As of the end of June 2012, there are a whopping 400M iOS devices. The rest of the numbers are just as mind boggling.

  • 400 million iOS devices
  • 700,000 apps in the app store
  • Average person uses 100+ apps
  • 84 million iPads
  • 68% market share of the tablet market
  • 17 million iPads sold during April-June 2012
  • 94% of Fortune 500 investing in or deploying iPads at work

Now let’s add Cisco’s recent predictions to the mix.

  • 2.5 connections for every person on earth (19 billion) by 2016
  • 3.4 billion Internet users (45% of the planet’s population) by 2016
  • 1.3 zettabytes of annual IP traffic (Zettabyte = one sextillion or 1E+21) by 2016. This is four times as much traffic as in 2011.

If you follow the logic of my argument, there will be 20+ billion APIs all needing distinct identities by the year 2016.

Apple’s revelation of the actual numbers of iOS devices not only shows us that we are well on our way to that number, but in all likelihood we will surpass all predictions my some margin.

What does all this Mean?

The way we have been federating identities across domains using federated naming systems will simply not scale to address the needs we already have.

The wave of device proliferation isn’t coming in the future, it has already washed over us and is causing big identity related issues.

We all need to understand this phenomena and begin to engage in addressing the matter in an intentional way.

Let me explain a little more.

Today, all federated naming systems designed to map IDs to services are Admin-intensive. They all require and admin to make and verify the mappings by hand. One by one.

If you do the math, it would take more than a 640,000 admins working round the clock 5 years to get all of the mappings completed. And that is if it only takes 10 min or so per mapping and there are no mistakes.

In other words, today’s approach isn’t going to cut it.

We are in much need of an automated method to provision federated naming systems.

The good news is that there are initiatives a foot that could help us in these matters.

  • OpenID Connect — API specification for SAML and other protocols using OAuth 2.0
  • OAuth 2.0 — Standardized authorization delegation protocol
  • SCIM — System for Cross-domain Identity Management — standardized provisioning protocol
  • UMA — User-Managed Access — standardized user-managed Identity management protocol

Summary

The need to understand the identity explosion is not something that is in the future.

It already upon us.

We need to begin understanding the new wave of standards that will allow organizations to automate identity management in the enterprise post-haste.

There are dangers that need to be considered along this post-haste path.

None of the protocols — despite their rapid standardization tracking — have been proven to be tractable or robust enough to handle the extreme situation they are being thrust into.

We are in new — very exciting and rewarding — territory.

It is critical that we educate ourselves about the issues and keep abreast of what is happening.

Stay tuned.

 


Services
© 2014 Craig Burton, KuppingerCole