The U.S. government announced plans to put in place within the next five years measures designed to make it impossible to pass on sensitive information to the likes of WikiLeaks. They hope to accomplish this by “tagging” information so it can be tracked in case someone shares it with outsiders.

The idea of creating “information-rich information” is obviously the right way to go in addressing privacy and security concerns in the Digital Age. It is possible, technically at least, to attach rules to individual pieces of information, such as who is allowed to do what with it and what happens if someone who isn’t authorized tries to access them or pass them on illegally. In fact, that is the whole idea of “information-centric IT security, a buzzword that is gaining popularity among Digital Identity Management experts and privacy advocates.

But by publically announcing their aim of stopping another WikiLeaks-style exposure of classified information just shows that the Official Mind has yet to grasp the real implications of the Digital Revolution. “Information wants to be free” was originally a clarion call by Internet activists who believed that transparency should be the hallmarks of an open society. In fact, the real motto is best encompassed in what I once dubbed “Cameron’s Law”, after Microsoft’s “identity guru” Kim Cameron, who once postulated that “sensitive information will be leaked”.

Yes, we all need to do all we can to protect privacy and guard crucial bits of information. But we should also be prepared for the worst. IT Security can create a false sense of confidence in our own defense mechanisms. At least as important as plugging holes in the dyke is to prepare oneself for the moment when the levees break and the floodwaters start to rise. Maybe “Remember New Orleans” would be a good slogan for security professionals to hang on their walls.

I found it particularly poignant to read the name of the official in charge of U.S. government efforts to create the Totally Secure System: Jim Clapper, the Director of National Intelligence, the mention of whom bring irresistibly to mind the old nautical expression about “clapping a stopper” over something, meaning to block something effectively. “Clapper” is actually the word for a safety valve – and as any engineer will tell you, the function of a valve is to let something out before the pressure reaches dangerous levels and pieces of stuff start flying around.

Of course, controlling the release of data so that only authorized individuals are able to see and use them is in fact what Identity Management is all about – or should be.

Tell me a story!

Everybody hates passwords, because there so many of them and keeping track is tricky. And of course we all know that passwords are inherently insecure, so we would all be better off with something else. Nowadays, there’s another reason to hate password, namely the perfusion of smartphones and other mobile devices with itsy-bitsy, teeny-weenie keypads that make typing in long, complicated passwords a real pain.

Lots of people have spent lots on time trying to come up with alternatives. Biometrics? Smartcards? Keystroke recognition? Voice recognition? You name it, somebody’s done it, but so far no one has come up with anything simple and foolproof enough to convince the IT industry to shift paradigms.

One of my favorite quick fixes to the password dilemma has always been “Passfaces”, a system used, among others, by members of the U.S. Congress. It involves memorizing a certain number of faces and later picking them out of a matrix of other faces you’ve never seen before. Politicians, it seems, are especially good at remembering a face, so for them the system is ideal. Not so for normal people, as a study by the Department of Computer Science at University College London showed. “Passfaces took a long time to execute”, the authors wrote, “and participants consequently

started their work later when using Passfaces than when using passwords, and logged into the system less often.”

Okay, so maybe Passfaces aren’t such a great idea after all. Which brings me to a conversation I had recently with Christoph Althammer of a tiny German starup called Qintecs. Based in the medieval cathedral town of Regensburg on the Danube, Althammer and his friend Martin Kühnel have come up with something they call “3SID”, which at first glance looks like a spittin’ image (no pun intended) of Passfaces, but isn’t. In fact, it’s an ingenious way to avoid the need for passwords in smartphones and other devices equipped with a touch screen.

The way it works it like this: The user shoots photos with the built-in camera of his or her device and then concocts a little story. For instance if I have a picture of my wife, my daughter and, let’s say, Moran’s Oyster Cottage in Galway, Ireland (yes, I just got back from vacation, why do you ask?), the story could be: “I went with Gabi and Valerie to Moran’s” By sliding the appropriate picture over the previous one, you create a pattern which unlocks the device. Okay, it sounds a lot more complicated than it is, believe me.

Technically, the concept is very appealing because it doesn’t involve simply substituting a picture for a character or set of characters. The system actually uses the vectors generated on the touch screen to create a hash value which is then used as the identifier. All those Murdoch reporters using script kid tools to unlock people’s mobile phones don’t stand a chance of getting in by simply trying out all the possible combinations. You would have to actually look over my shoulder to see which picture I am pushing and where I’m pushing them, which would be tricky if I am using four or five images.

It took me about 10 seconds to get the trick, so I guess anybody could do it. And all I needed was my thumb, so I could probably do it while driving (although I don’t suggest anyone should).

But how do I reset the system if I forget my little story line, I asked Althammer. He beamed at he and showed me what I think is a really neat idea: Users are provided with a card containing an OR Code which looks like a square bar code. All you have to do is take a photo of the code marker with the built-in camera of your smartphone, type in a password [sic!], and you’re off to the races.

Frankly, even if §SID doesn’t cath on the way it’s inbvestors would like, I think the OR Code idea deserves some attention by identity experts. Why didn’t I think of that?

Anyway, Althammer and his backers have secures a patent on their investion, and they’re actively looking for investors, so if you, too, hate passwords and would like to make a mint of money providing an alternative, maybe you should gibe them a ring. You can reach him at www.qintecs.de.

The European Identity Conference EIC, which recently ended here in Munich, had many highlights, but for me personally the very best was the keynote by the Italian psychologist Dr. Emilio Mordini, CEO of the Centre for Science, Society and Citizenship CSSC in Rome, which he describes as a leading independent research centre specializing in advice on political, ethical and social issues raised by emerging technologies. His topic was “Secrecy in the Post Wikileaks Era“, in itself a fascinating subject, but where it got really entertaining and thought-provoking was when he turned to the subject of the „segreto di Pulcinella“, or Pulchinella Secrets.

Pulchinella, we all learned, is a bumbling, clownish figure from the Italian “commedia dell’arte”, a traditional folksy form of theatre that began in Italy in the mid-16th century and which is characterized by masked “types” performing often improvised performances based on sketches or scenarios. According to Wikipedia, “arte” does not refer to “art” as we currently consider the word, but rather to that which is made by “artigiani” (artisans).

Read the rest of this entry »

Sometimes the most interesting conversations are about something you never really expected to discuss, but I digress.

No, seriously: You sometimes get sidetracked on a topic that becomes so fascinating that your meeting is almost over before you get back to what you really wanted to talk about. Take for instance a conversation I had recently with Julian Lovelock of ActivIdentity. There are lots of things I as an analyst wanted to know about their recent acquisition by HID, who are at home in the “old” world of physical access management and who obviously wanted to buy into the “new” world of logical access control. ActivIdentiy makes most of its money selling often highly customized authentication solutions to businesses, but they derive a large chunk of their income (about 20 percent) from what they call “commercial business”, which essentially means online banking.

Now, conventional thinking says that European and especially German banks are light-years ahead of the rather archaic US banking system in terms of offering customers online access to their accounts and portfolios, as well as in many other respects (nobody in Europe has used a check in at least a decade!).

ActivIdentity, Julian says, has customers in the financial industry on both sides of the Atlantic, so they know what the differences are. In a nutshell, he says, European banks are more concerned with security, while American banks worry about the customer experience. Anything that would make it hard for US consumers to understand what to do next is more or less automatically a no-starter, and if that means there is a bigger danger of the customer’s account being hacked, then so be it. If necessary the bank will simple reimburse the customer without too many questions asked and swallow the damage. Better, anyway, than watching him switch to another bank.
Read the rest of this entry »

When identity pros get together and let their hair down, they like to swap stories about all the dumb and/or ill-advised things people do with their passwords. BBC famously sent a camera team out to interview folks on the streets on London, asking them to reveal their user names and passwords and offering them a ham sandwich in return. More than half complied. Which calls to mind George Bernard Shaw’s famous question “What’s better: eternal salvation or a ham sandwich. Well, nothing’s better than eternal salvation, but a ham sandwich is better than nothing…”

In fact, most of the stuff you hear about the risks of identity theft and sloppy password management are anecdotal. Which is why I really enjoyed listening to Lora Deeds of Quest Software, who used the RSA Conference in San Francisco as the venue to introduce a survey her company did with Harris Interactive on the use of policies and technologies to manage and protect users’ electronic identities, including provisioning and especially deprovisioning of those IDs.

What they did was ask some 1,500 white collar workers and an additional 500 IT decision makers to tell them the truth about some dirty little secrets surrounding identity and security. They didn’t really find out anything new, but they did provide much-needed proof for some of the things we ID Pros have been assuming for years, namely that people and companies are extremely negligent in their everyday care and feeding of digital identities.

Read the rest of this entry »

Things would be so simple if companies could just sit down and agree for everyone to use the same computers, or at least the same operating system. In a perfect world, everyone would use Windows or UNIX or Apple or Linux and IT admins might actually find time to lean back and rest their weary bones.

But since we don’t live in a perfect world, admins live in a nightmare of mixed platforms and systems where juggling sensitive data around is something Dante would have described in grueling detail if computers had been around when he wrote the “Inferno”.

Read the rest of this entry »

Okay, just because I’m paranoid doesn’t mean they aren’t out to get me, right? But I guess that’s what comes from dealing to long with IT security people whose chosen profession involves trying to outsmart some very smart people on the dark side of computing.

I love listening to my friend Andy Müller-Maguhn, for instance. He’s one of the founders of the Chaos Computer Club in Hamburg, who likes to scare the heck out of managers in the audience by describing the ingenious ways hackers have for breaking into other people’s systems and what all the horrible damage they can do there.

Andy is one of the good guys, of course, or so he says. And yeah, you can hire him as a security consultant, just in case. Which sort of reminds me of the young men in Naples who wash your windshield while you wait at a stoplight and rip your wiper blades off if you don’t tip them.

Which brings us in a very roundabout way to a security risk I somehow never thought of before, but now it worries me no end. The guy who stirred me up is David Ting, a charming IT professional who founded a small company a few years back called Imprivata that has been generating a lot of publicity recently for a product called “OneSIgn Secure Walk-Away”.  In fact, just last week they won the UK IT Industry’s prestigious “Security Innovation of the Year” award for it. Seems like folks in Britain were as disturbed as I was to find that there had been a serious security risk lurking under their very noses they had somehow overlooked.

Read the rest of this entry »

At my time in life, you sort of become settled into old, comfortable habits, and that’s okay.

However, moving from Munich to Boston to set up our new US office has shaken a few things up in my life. And as if that wasn’t enough, I flew out to the Bay Area a couple of days later to attend IIW ’11, which the organizers, Kaliya Hamlin (a.k.a. “identitywoman”), Phil Windley and Doc Searls put on at the Museum of Computer History right around from NASA’s Ames Research Lab at Moffet Field  in Mountain View – and boy did that give me a dose of culture shock.

I mean, we at KuppingerCole have some experience putting on an event like the European Identity Conference, and so I know how much backbreaking labor and painstaking detail needs to go into creating, among other things, a three-day conference program.

Only it doesn’t.

It took the assembled hundred or so hard-core members of the Identity Gang about 20 minutes to assemble a complete, gilt-edged program covering just about all the really hot topics in the identity space today, and they did so by simply standing up, saying what they wanted to discuss, and going over and hanging a sign on an “agenda wall” telling people when and where to meet.

This format is called a “unconference”, only it isn’t, either. It is a full-fledged symposium divided in to hour-long blocks – that is, unless someone wants to go into extra time, in which case, that’s fine. In fact, anything is fine. That’s because there are no rules at IIW, or at least nothing that resembles a rule in the understood sense of the word. Instead there are some guiding principles that sound like something straight out of Doug Adams, or maybe some of kind of secular geek ashram (which it isn’t, really).

Read the rest of this entry »

The problem with Cloud Computing is that no two experts can agree what it really is, right? Wrong! As of Sunday evening, we at least have two major players singing from the same psalm book.

At Oracle Open World in San Francisco, Larry Ellison went public with the announcement that not only does he agree with Amazon on their definition of Cloud Computing; he is actually stealing their thunder, or at least the thunder of the name Amazon invented to describe their cloud services, namely “Elastic Cloud”.

He also gave a firm answer to the age-old question, is Cloud Computing an application or a platform. The latter, the man who feels equally at home at the helm of a racing yacht or an international computer company stated in no uncertain terms, hurling a bolt of devastating lighting an Salesforce.com, which to him is “just a couple of applications on the Internet”.

So here is Larry’s definition of Cloud Computing, just in case you wondered. It is a pool of resources for developing and sharing applications, so it’s a platform, stupid! It involves virtualization, so if it isn’t virtual, it ain’t cloud. It uses “elastic” technology so it can scale quickly and easily (and back, too: users should be able to get rid of resources they no longer need just as simply as they can dial them up). And did I mention pricing? You only pay for what you eat, of course.

Ellison is a man who practices what he preaches. So the riddle of the grey cabinet the size of a large dresser standing next to him on the stage of Moscone Center was soon solved. Nicknamed the “Cloud in a Box”, the new product he announced is officially called the “Exalogic Elastic Cloud” and consists of 30 servers running in parallel with its very own storage array, two separate operating systems (Solaris for the hadware, Linus for the software) VM and middleware (by Oracle, of course), all tightly packed into a single closet-sized unit. It represents nothing less than you very own private cloud that you can install and run behind your corporate firewall thus eliminating all those worrisome questions about security that till now have kept CIOs from jumping on the cloud bandwagon. This, Ellison declared, is the future of Cloud Computing.

Read the rest of this entry »

Who’s pulling the cart on data protection? At least in Germany, that has traditionally been government’s role, and that has made the German regulatory environment one of the fiercest in the world for foreign enterprises and organizations. U.S. companies in particular are often reluctant to engage in the German market for fear of running afoul of the strict laws, but the same actually goes for the EU as a whole. Witness Amazon Web Services decision to build two separate clouds, one (based in Dublin) for Europe and another for the rest of the world.

So it may come as a surprise to hear a voice raised in Germany demanding a whole new deal on data protection. Sven Gábor Jánszky is the founder of 2B Ahead, a think tank based in Halle, a backwoods town in the wilds of former East Germany. Presumably that gives him enough time to think deeply about serious issues such as Digital Identity.

His solution may sound simple – let business take care of it – but it isn’t. And especially coming from someone in the typically paternalistic Old Europe, it’s downright seditious.

And what is even more surprising was that ARD, the largest German TV station, gave Mr. Jánszky a spot on its prime time “Tagesthemen” news show to voice his opinion. “We need to reinvent data protection”, he told an audience of millions of German watchers, “and business, especially the IT business, needs to take the lead.”

How often do identity gurus in the U.S. get to air their views on “60 minutes”?

Anyway, Jánszky thinks that the concept of the state protecting people’s privacy is so 20th century. “They want to share their personal information”, he believes, and it’s the job of business to help them do it in a controlled fashion. He thinks it’s high time the industry takes the lead in creating a system that will allow everyone to distribute personal information freely, but retain a final say in where it goes and how it’s used. For starters, he says, companies should provide users full disclosure on what data about them they have stored. This would be a first step towards establishing a trust relationship, and that is something any company should be interested in. Trust leads to loyalty, and that means return customers and more moola in the till.

The role of government, Jánszky says, is simple: Stop trying to build walls around the consumer and instead focus on passing laws that enable companies to use personal information, provided they do so in a responsible way and with the full content and oversight of the consumer.

This may not sound exactly new to some within the identity community. But then, has anybody been on national TV lately to espouse their views? The Germans may be behind (or ahead, depending on your point of view) in terms of draconian privacy laws, but at least they have a public discussion going. Wonder where it will finally lead…