The U.S. government announced plans to put in place within the next five years measures designed to make it impossible to pass on sensitive information to the likes of WikiLeaks. They hope to accomplish this by “tagging” information so it can be tracked in case someone shares it with outsiders.

The idea of creating “information-rich information” is obviously the right way to go in addressing privacy and security concerns in the Digital Age. It is possible, technically at least, to attach rules to individual pieces of information, such as who is allowed to do what with it and what happens if someone who isn’t authorized tries to access them or pass them on illegally. In fact, that is the whole idea of “information-centric IT security, a buzzword that is gaining popularity among Digital Identity Management experts and privacy advocates.

But by publically announcing their aim of stopping another WikiLeaks-style exposure of classified information just shows that the Official Mind has yet to grasp the real implications of the Digital Revolution. “Information wants to be free” was originally a clarion call by Internet activists who believed that transparency should be the hallmarks of an open society. In fact, the real motto is best encompassed in what I once dubbed “Cameron’s Law”, after Microsoft’s “identity guru” Kim Cameron, who once postulated that “sensitive information will be leaked”.

Yes, we all need to do all we can to protect privacy and guard crucial bits of information. But we should also be prepared for the worst. IT Security can create a false sense of confidence in our own defense mechanisms. At least as important as plugging holes in the dyke is to prepare oneself for the moment when the levees break and the floodwaters start to rise. Maybe “Remember New Orleans” would be a good slogan for security professionals to hang on their walls.

I found it particularly poignant to read the name of the official in charge of U.S. government efforts to create the Totally Secure System: Jim Clapper, the Director of National Intelligence, the mention of whom bring irresistibly to mind the old nautical expression about “clapping a stopper” over something, meaning to block something effectively. “Clapper” is actually the word for a safety valve – and as any engineer will tell you, the function of a valve is to let something out before the pressure reaches dangerous levels and pieces of stuff start flying around.

Of course, controlling the release of data so that only authorized individuals are able to see and use them is in fact what Identity Management is all about – or should be.

Tell me a story!

Everybody hates passwords, because there so many of them and keeping track is tricky. And of course we all know that passwords are inherently insecure, so we would all be better off with something else. Nowadays, there’s another reason to hate password, namely the perfusion of smartphones and other mobile devices with itsy-bitsy, teeny-weenie keypads that make typing in long, complicated passwords a real pain.

Lots of people have spent lots on time trying to come up with alternatives. Biometrics? Smartcards? Keystroke recognition? Voice recognition? You name it, somebody’s done it, but so far no one has come up with anything simple and foolproof enough to convince the IT industry to shift paradigms.

One of my favorite quick fixes to the password dilemma has always been “Passfaces”, a system used, among others, by members of the U.S. Congress. It involves memorizing a certain number of faces and later picking them out of a matrix of other faces you’ve never seen before. Politicians, it seems, are especially good at remembering a face, so for them the system is ideal. Not so for normal people, as a study by the Department of Computer Science at University College London showed. “Passfaces took a long time to execute”, the authors wrote, “and participants consequently

started their work later when using Passfaces than when using passwords, and logged into the system less often.”

Okay, so maybe Passfaces aren’t such a great idea after all. Which brings me to a conversation I had recently with Christoph Althammer of a tiny German starup called Qintecs. Based in the medieval cathedral town of Regensburg on the Danube, Althammer and his friend Martin Kühnel have come up with something they call “3SID”, which at first glance looks like a spittin’ image (no pun intended) of Passfaces, but isn’t. In fact, it’s an ingenious way to avoid the need for passwords in smartphones and other devices equipped with a touch screen.

The way it works it like this: The user shoots photos with the built-in camera of his or her device and then concocts a little story. For instance if I have a picture of my wife, my daughter and, let’s say, Moran’s Oyster Cottage in Galway, Ireland (yes, I just got back from vacation, why do you ask?), the story could be: “I went with Gabi and Valerie to Moran’s” By sliding the appropriate picture over the previous one, you create a pattern which unlocks the device. Okay, it sounds a lot more complicated than it is, believe me.

Technically, the concept is very appealing because it doesn’t involve simply substituting a picture for a character or set of characters. The system actually uses the vectors generated on the touch screen to create a hash value which is then used as the identifier. All those Murdoch reporters using script kid tools to unlock people’s mobile phones don’t stand a chance of getting in by simply trying out all the possible combinations. You would have to actually look over my shoulder to see which picture I am pushing and where I’m pushing them, which would be tricky if I am using four or five images.

It took me about 10 seconds to get the trick, so I guess anybody could do it. And all I needed was my thumb, so I could probably do it while driving (although I don’t suggest anyone should).

But how do I reset the system if I forget my little story line, I asked Althammer. He beamed at he and showed me what I think is a really neat idea: Users are provided with a card containing an OR Code which looks like a square bar code. All you have to do is take a photo of the code marker with the built-in camera of your smartphone, type in a password [sic!], and you’re off to the races.

Frankly, even if §SID doesn’t cath on the way it’s inbvestors would like, I think the OR Code idea deserves some attention by identity experts. Why didn’t I think of that?

Anyway, Althammer and his backers have secures a patent on their investion, and they’re actively looking for investors, so if you, too, hate passwords and would like to make a mint of money providing an alternative, maybe you should gibe them a ring. You can reach him at www.qintecs.de.

The European Identity Conference EIC, which recently ended here in Munich, had many highlights, but for me personally the very best was the keynote by the Italian psychologist Dr. Emilio Mordini, CEO of the Centre for Science, Society and Citizenship CSSC in Rome, which he describes as a leading independent research centre specializing in advice on political, ethical and social issues raised by emerging technologies. His topic was “Secrecy in the Post Wikileaks Era“, in itself a fascinating subject, but where it got really entertaining and thought-provoking was when he turned to the subject of the „segreto di Pulcinella“, or Pulchinella Secrets.

Pulchinella, we all learned, is a bumbling, clownish figure from the Italian “commedia dell’arte”, a traditional folksy form of theatre that began in Italy in the mid-16th century and which is characterized by masked “types” performing often improvised performances based on sketches or scenarios. According to Wikipedia, “arte” does not refer to “art” as we currently consider the word, but rather to that which is made by “artigiani” (artisans).

Read the rest of this entry »

Today marks a milestone in the history of KuppingerCole, since today is the day we welcome the youngest member of our team. Did I say “young”? Sorry, wrong word. Of course he isn’t really the oldest – that’s still me. But he ain’t exactly no spring chicken, either.

I’m talking about Craig Burton, of course. Yes, that Craig Burton. The guy who founded The Burton Group. The same guy who almost single-handedly defined what it means to be an analyst in the Identity & Access Management workplace. The one of the leading lights in our industry, grayest of “eminence gris” in a field where graying temples and even manes of white are becoming increasingly common.

Craig left the company that still bears his name quite awhile before they were acquired by Gartner, and he has spent most of his time working as a private consultant, at the same time performing the heartrending duties of a son during the final years of terminally ill parents. He is now a free agent once again, and he is eager to explore the future of an IT industry that he sees as becoming increasingly identity-aware in ways that many of us still can’t really imagine. His first post on his new KuppingerCole blog is entitled “The Living Web” and explores how the “Internet of Things” will change our lives perhaps more profoundly than the original World Wide Web.

Read the rest of this entry »

You know you’re at a real nerdfest when the conference catering consists of large pretzels and candybars. This tweet by some unknown delegate just about captures my own impression of TEC 2011. Measured in terms of techies per square feet, this simply has to be the geekiest conference in the galaxy.

For me as an Identity guy, it was also a kind of homecoming, a reassurance that, yes, there are lots and lots of people out there that share our vision of a world where digital identities will better protect and enable us both in our business and our private lives.
Read the rest of this entry »

“Silicon-based lifeforms” is a term Ray Bradbury might have used to great effect. “Invasion of the Sand Beings” would have made a great sci-fi title. Just imagine the film trailer: “They’re awesome! They’re everywhere! They’re made of silicon! They’re indestructable!”

So imagine my surprise hearing what seemed at first to be a level-headed CEO explaining to me that his company, Venafi, is in the business of supplying “ID badges for silicon-based lifeforms” Okay, Venafi has its headquarters in a Salt Lake City suburb named, of all things, Sandy, but this surely is a pun too far, isn’t it?
No joke, though. Jeff Hudson sees certificates as the best, or at least the most pervailent way of giving identity to the machines that run our IT systems – and increasingly the world.
Read the rest of this entry »

Sometimes the most interesting conversations are about something you never really expected to discuss, but I digress.

No, seriously: You sometimes get sidetracked on a topic that becomes so fascinating that your meeting is almost over before you get back to what you really wanted to talk about. Take for instance a conversation I had recently with Julian Lovelock of ActivIdentity. There are lots of things I as an analyst wanted to know about their recent acquisition by HID, who are at home in the “old” world of physical access management and who obviously wanted to buy into the “new” world of logical access control. ActivIdentiy makes most of its money selling often highly customized authentication solutions to businesses, but they derive a large chunk of their income (about 20 percent) from what they call “commercial business”, which essentially means online banking.

Now, conventional thinking says that European and especially German banks are light-years ahead of the rather archaic US banking system in terms of offering customers online access to their accounts and portfolios, as well as in many other respects (nobody in Europe has used a check in at least a decade!).

ActivIdentity, Julian says, has customers in the financial industry on both sides of the Atlantic, so they know what the differences are. In a nutshell, he says, European banks are more concerned with security, while American banks worry about the customer experience. Anything that would make it hard for US consumers to understand what to do next is more or less automatically a no-starter, and if that means there is a bigger danger of the customer’s account being hacked, then so be it. If necessary the bank will simple reimburse the customer without too many questions asked and swallow the damage. Better, anyway, than watching him switch to another bank.
Read the rest of this entry »

Where in the Cloud am I? And more importantly: Where are my data? I know that many managers and CIOs are asking themselves similar questions. In fact, as I have posted before, a colleague of mine put that question to Martin Jetter, CEO of IBM Germany, at a briefing about a year ago, namely: “If I give you my data to store in the Cloud, where exactly are they?” Mr. Jetter didn’t quite get the question at first, so he launched into a lengthy technical explanation, but the guy interrupted him and insisted: “I mean, physically, where are they?”

Of course, there was no really good answer, and Jetter sort of danced around the question and then hurried on to something completely different (in the famous words of John Cheese of Monty Python fame). The scene came to my mind recently when I read a Software Advice blog post by Gustav Westerlunds, CEO of CRM-Konsulterna, a Swedish consultancy, entitled “Is Your Cloud Safe From the Law?” in which he discusses the lack of legal precedents concerning transnational laws and trade agreements with respect to cloud computing. He asks two deceptively simple questions, just like my colleague did to Mr. Jetter, namely:

-          Which country’s laws apply to the data stored in the Cloud?

-          Which country’s laws apply to the data being transferred?

I have blogged about this subject myself concerning the ramifications of European data protection laws which have forced Amazon, for instance, to operate a completely self-contained “European Cloud” based in Dublin so that their European customers won’t go to jail (or have pay the maximum fine of 300.000 Euros stipulated by the EU directive) just because somebody’s name and address made it across the Atlantic due to the magic of packet switching. But Westerlund takes the issue a step further.

Read the rest of this entry »

Almost two years ago, I blogged about a conversation I had with Martin (“Tall Martin”) Buhr about Cloud Security. At the time, he was the European head of Amazon’s Web Services, and he has recently moved on to Nimbula (“the Cloud Operating System company”) as head of sales and business development, but his words came back to me during an analyst panel at RSA Conference in SFO, where I shared the rostrum with Eric Maiwald of Gartner and Jonathan Penn of Forrester and during which we touched on regulation issues that could block the development of Cloud Computing.

In Europe, the case is very clear: The European Data Protection Directive only allows personal data to be transferred to so-called “third countries” if that country provides an adequate level of protection. The most prominent third country is, of course, the United States which chooses for reasons we needn’t get into here to refuse individuals the right to control their personal data the way Europeans can.

In the age of packet switching, nobody can be sure some piece of information won’t make a hop over to New York or San Francisco on its way from, say, London  to Frankfurt. That is the charm and the wonder of TCP/IP, that data will always find a workaround if some part of the net is blocked, clogged or restricted. The original scenario, of course, was a Russian attack on the U.S. military’s communications infrastructure, and the thing data packets were supposed to get around were gaping, radioactive holes in the ground where major U.S. cities (and telephone hubs) once stood.

Thankfully, the clear and present danger of such doomsday scenarios has faded somewhat, but the principle behind TCP/IP remains: It is almost impossible to restrict the flow of data anywhere in the world, short of shutting down the entire Internet, as the authorities in Egypt and Iran have done, or erecting gigantic electronic barriers like the Great Firewall of China.

Since in the age of Cloud Computing, nobody really know where on earth their data are at any given moment (that’s the charm of Cloud Computing, after all!), any European CEO who allows personal data about customer or employees to be stored in the Cloud can be seen as having one foot in jail. Let an auditor or a police investigator find that data residing outside the physical boundaries of the EU, then the CEO’s number is up. And he can’t pass the buck on to his CIO, because managerial liability doesn’t work that way.  It’s his call, and if he didn’t keep his CIO on a leash, then tough luck!

Read the rest of this entry »

When identity pros get together and let their hair down, they like to swap stories about all the dumb and/or ill-advised things people do with their passwords. BBC famously sent a camera team out to interview folks on the streets on London, asking them to reveal their user names and passwords and offering them a ham sandwich in return. More than half complied. Which calls to mind George Bernard Shaw’s famous question “What’s better: eternal salvation or a ham sandwich. Well, nothing’s better than eternal salvation, but a ham sandwich is better than nothing…”

In fact, most of the stuff you hear about the risks of identity theft and sloppy password management are anecdotal. Which is why I really enjoyed listening to Lora Deeds of Quest Software, who used the RSA Conference in San Francisco as the venue to introduce a survey her company did with Harris Interactive on the use of policies and technologies to manage and protect users’ electronic identities, including provisioning and especially deprovisioning of those IDs.

What they did was ask some 1,500 white collar workers and an additional 500 IT decision makers to tell them the truth about some dirty little secrets surrounding identity and security. They didn’t really find out anything new, but they did provide much-needed proof for some of the things we ID Pros have been assuming for years, namely that people and companies are extremely negligent in their everyday care and feeding of digital identities.

Read the rest of this entry »