The lowly browser has come a longs way since Marc Andreessen wrote the code for Mosaic back in his salad days as a student at the National Center for Supercomputing Applications because he was fed up with the line-mode interface intrepid Internet pioneers like us were forced to use back in the early Ninties. But Mosaic was a relatively simple program, and improvement set in almost immediately. First came plug-ins, then Java applets and extensions, and today’s web browsers are actually sophisticated and powerful packages of applications that can automatically handle anything from downloading music to playing radio or running videos. For most of us, the browser is our window to the world behind the computer screen, and in the age of cloud computing, it is poised to take over as the most important and widely used piece of software ever written.

At the Identity Collaboration workshop held yesterday in San Francisco on the eve of the RSA Conference, browsers seemed poised to take the next big step forward when Mike Hansen and Dick Hardt hosted a session which they entitled “Identity in the browser”. For that, though, the browser as we know it must be replaced by an intelligent application that stores the necessary credentials on the users machine and releases them on request by a website, thus saving us the trouble and bother of constantly typing in our user names and passwords or performing some other kind of authentication before being allowed to access content or services online.

Read the rest of this entry »

Things would be so simple if companies could just sit down and agree for everyone to use the same computers, or at least the same operating system. In a perfect world, everyone would use Windows or UNIX or Apple or Linux and IT admins might actually find time to lean back and rest their weary bones.

But since we don’t live in a perfect world, admins live in a nightmare of mixed platforms and systems where juggling sensitive data around is something Dante would have described in grueling detail if computers had been around when he wrote the “Inferno”.

Read the rest of this entry »

Without getting into the umpteenth discussion about what, who and where is the Cloud, I think we can safely assume that for average people, and especially for businesspeople, Cloud Computing is when you run an application or store some data on someone else’s server somewhere out there “in the Cloud”. By this definition, Salesforce.com, just to name an instance, fits just about everybody’s idea of Cloud Computing .

Oracle’s Larry Ellison would beg to differ, and he actually traded insults onstage at Open World 2010 with Salesforce’s boss Marc Benioff, whom he accused of “just running a few applications on some servers.” To which Benioff memorably replied: “You can’t run a cloud in a box, Larry” – referring to Oracle’s jumbo-sized „Exalogic Elastic Cloud“ which Ellison had just introduced.

Which is funny, because according to Chandar Pattabhiram, VP Product Marketing at Cast Iron Systems, a small Silicon valley startup recently acquired by IBM, the box metaphore is actually a pretty good description of Salesforce itself.

The problem with most SaaS applications (and Salesforce is regularly cited as the best-known example of SaaS at work) is that they are completely self-contained, meaning that they have no connection to the other systems a company may be running. In fact, many CIOs will tell you if they’re honest that they don’t know if anyone is running Salesforce in their company, since they probably didn’t ask IT’s permission in the first place. This, by the way, is a prime reason for the paranoia many CIOs feel towards Cloud Computing in general, since it implies a loss of control over what is going on in the company, IT-wise.

Read the rest of this entry »

Okay, just because I’m paranoid doesn’t mean they aren’t out to get me, right? But I guess that’s what comes from dealing to long with IT security people whose chosen profession involves trying to outsmart some very smart people on the dark side of computing.

I love listening to my friend Andy Müller-Maguhn, for instance. He’s one of the founders of the Chaos Computer Club in Hamburg, who likes to scare the heck out of managers in the audience by describing the ingenious ways hackers have for breaking into other people’s systems and what all the horrible damage they can do there.

Andy is one of the good guys, of course, or so he says. And yeah, you can hire him as a security consultant, just in case. Which sort of reminds me of the young men in Naples who wash your windshield while you wait at a stoplight and rip your wiper blades off if you don’t tip them.

Which brings us in a very roundabout way to a security risk I somehow never thought of before, but now it worries me no end. The guy who stirred me up is David Ting, a charming IT professional who founded a small company a few years back called Imprivata that has been generating a lot of publicity recently for a product called “OneSIgn Secure Walk-Away”.  In fact, just last week they won the UK IT Industry’s prestigious “Security Innovation of the Year” award for it. Seems like folks in Britain were as disturbed as I was to find that there had been a serious security risk lurking under their very noses they had somehow overlooked.

Read the rest of this entry »

Remember the old New Yorker cartoon about the canine computer user telling his sidekick: „On the Internet nobody know’s you’re a dog“? That was back in 1993, but it still holds true. And while many, myself included, relish the anonymity the Net gives us, the inability to prove conclusively who is on the other end of the line can be irking, and even downright dangerous, when large sums of money or the running of critical or possibly even existential systems is concerned.

Of course, the username/password currently used by almost everybody doesn’t prove who you or I are at all. It simply proves that there is indeed an entry in a database that uses these attributes, so anybody who knows them can get in.

That’s probably okay for most use cases. After all, the world as we know it won’t come to an end if somebody highjacks my Facebook account. And for thing like eBanking or PayPal I have additional ways of protecting myself: tokens, one-time passwords or Transaction Numbers (TANs), for instance. And yes, my laptop does have a fingerprint reader built in. I don’t have an Iris scanner yet, but these things are available if needed. There are lots of other methods out there, such as systems that analyze my typing behavior or listen to my voice patterns. One of my favorites is a system called “PassFaces” which makes you memorize the faces from pictures of total strangers whom you are then required to pick out from a matrix of mugshots. Presumably, if you can recognize, say, three people, then this must be the real you knocking on my digital door.

Unfortunately, each of these methods has its foibles and weaknesses, so relying on any one of them just gets us back to square A, namely a relatively insecure system. So why not use a bunch of them simultaneously?

That’s the idea that occurred to the folks at Delfigo Security, a tiny South Boston start-up I visited recently. Their product, DSGateway, is supposedly able to analyze up to 17 different identity factors at once to create what Bharat Nair, who heads development at Delfigo, calls a “confidence factor”, and which I would describe as the probability of it really being me, as opposed to some crook or software robot trying to impersonate me.

Read the rest of this entry »

At my time in life, you sort of become settled into old, comfortable habits, and that’s okay.

However, moving from Munich to Boston to set up our new US office has shaken a few things up in my life. And as if that wasn’t enough, I flew out to the Bay Area a couple of days later to attend IIW ’11, which the organizers, Kaliya Hamlin (a.k.a. “identitywoman”), Phil Windley and Doc Searls put on at the Museum of Computer History right around from NASA’s Ames Research Lab at Moffet Field  in Mountain View – and boy did that give me a dose of culture shock.

I mean, we at KuppingerCole have some experience putting on an event like the European Identity Conference, and so I know how much backbreaking labor and painstaking detail needs to go into creating, among other things, a three-day conference program.

Only it doesn’t.

It took the assembled hundred or so hard-core members of the Identity Gang about 20 minutes to assemble a complete, gilt-edged program covering just about all the really hot topics in the identity space today, and they did so by simply standing up, saying what they wanted to discuss, and going over and hanging a sign on an “agenda wall” telling people when and where to meet.

This format is called a “unconference”, only it isn’t, either. It is a full-fledged symposium divided in to hour-long blocks – that is, unless someone wants to go into extra time, in which case, that’s fine. In fact, anything is fine. That’s because there are no rules at IIW, or at least nothing that resembles a rule in the understood sense of the word. Instead there are some guiding principles that sound like something straight out of Doug Adams, or maybe some of kind of secular geek ashram (which it isn’t, really).

Read the rest of this entry »

The problem with Cloud Computing is that no two experts can agree what it really is, right? Wrong! As of Sunday evening, we at least have two major players singing from the same psalm book.

At Oracle Open World in San Francisco, Larry Ellison went public with the announcement that not only does he agree with Amazon on their definition of Cloud Computing; he is actually stealing their thunder, or at least the thunder of the name Amazon invented to describe their cloud services, namely “Elastic Cloud”.

He also gave a firm answer to the age-old question, is Cloud Computing an application or a platform. The latter, the man who feels equally at home at the helm of a racing yacht or an international computer company stated in no uncertain terms, hurling a bolt of devastating lighting an Salesforce.com, which to him is “just a couple of applications on the Internet”.

So here is Larry’s definition of Cloud Computing, just in case you wondered. It is a pool of resources for developing and sharing applications, so it’s a platform, stupid! It involves virtualization, so if it isn’t virtual, it ain’t cloud. It uses “elastic” technology so it can scale quickly and easily (and back, too: users should be able to get rid of resources they no longer need just as simply as they can dial them up). And did I mention pricing? You only pay for what you eat, of course.

Ellison is a man who practices what he preaches. So the riddle of the grey cabinet the size of a large dresser standing next to him on the stage of Moscone Center was soon solved. Nicknamed the “Cloud in a Box”, the new product he announced is officially called the “Exalogic Elastic Cloud” and consists of 30 servers running in parallel with its very own storage array, two separate operating systems (Solaris for the hadware, Linus for the software) VM and middleware (by Oracle, of course), all tightly packed into a single closet-sized unit. It represents nothing less than you very own private cloud that you can install and run behind your corporate firewall thus eliminating all those worrisome questions about security that till now have kept CIOs from jumping on the cloud bandwagon. This, Ellison declared, is the future of Cloud Computing.

Read the rest of this entry »

As anyone in the identity industry knows, more lies between America and Europe that just an ocean. In fact, when it comes to privacy and data protection, a wide gulf separates the old and new worlds.

Germany in particular is often perceived as hidebound, not to say paranoid, when it comes to companies collecting personal data about their customers. People are signing up by the thousands to have their houses deleted from Google StreetView, with the mass-circulation “Bild Zeitung” running panic-inducing headlines like “StreetView snoops private data” and warning their readers about“Google’s next attack: Now they’re using bikes to film us!” The German minister of consumer affairs, Ilse Aigner, has publicly urged her fellow citizens to follow her example and cancel their Facebook accounts.

Most Americans I know simply shake their heads and grumble about “unhinged eurocrats run amok”. But unfortunately, it isn’t that simple. For better or worse, American companies need to realize that these are genuine concerns by genuine people. And no matter how lackadaisical US consumers may be when it comes to handing out personal information, the reality is that Europeans are not.

“But isn’t that what Safe Harbor is all about?”, one American identity expert (who shall remain nameless) exclaimed recently when I asked him how he thinks the problem should be addressed. True – but apparently, safe harbors in the US are anything but. That at least is what the so-called “Duesseldorf Circle”, a group of data privacy officials from all German states, stated in a report released last April. They accuse US companies of cheating on the agreement which was reached way back in 2000 between the United States and the EU. Read the rest of this entry »

The Internet, like an elephant, never forgets.

Unfortunately, it also never forgives, as witnessed by the case of Stacy Snyder, a 25 year-old former student at Millersville University School of Education in Pennsylvania, who wanted to become a teacher. Until the day she went to a party and had her picture taken drinking from a plastic beaker and wearing a pirate hat.

The picture found its way onto MySpace, where it was seen by a professor who thought it decidedly unfunny. In fact, he was so incensed that he informed the school authorities who refused to grant the young woman the diploma she had earned, stating that her conduct was “unprofessional” and that she had, albeit indirectly, encouraged young people to drink. Stacy went to court, arguing that the school had infringed on her right of free speech under the First Amendment, but a federal judge threw her case out.

All this happened back in 2007, but it is quoted at length in Viktor Mayer-Schonberger’s book „Delete: The Virtue of Forgetting in the Digital Age“, and it provides an extreme example of how rash behavior can come back to haunt you in the Digital Age. The author pontificates at length about the need for parents to teach their kids to behave responsibly when online (as if the cyber kids are going to listen to old fuddy-duddies like us).

Read the rest of this entry »

Adobe is a company everybody likes. Okay, with the possible exception of Steve Jobs, that is. But really: Adobe is probably the largest vendor in the IT industry that doesn’t compete head-on with any of the other giants. In fact, cooperation seems to be somehow bred into their genes, which is why the Adobe managers I met with recently in Paris seemed to be exceptionally nice.

But that may change.

Read the rest of this entry »