Protocol gut check. That's how someone recently described some research I've got under way for a report we're calling the "TechRadar™ for Security Pros: Zero Trust Identity Standards," wherein we'll assess the business value-add of more than a dozen identity-related standards and open protocols. But it's also a great name for an episode of angst that recently hit the IAM blogging world, beginning with Eran Hammer's public declaration that OAuth 2.0 -- for which he served as a spec editor -- is "bad."
As you might imagine, our TechRadar examination will include OAuth; I take a lot of inquiries and briefings in which it figures prominently, and I've been bullish on it for a long time. In this post, I'd like to share some thoughts on this episode with respect to OAuth 2.0's value to security and risk pros. As always, if you have further thoughts, please share them with me in the comments or on Twitter.
Yesterday, the White House released a long-awaited set of recommendations that are focused on helping individuals take greater control of how their data is collected and used for online marketing purposes. It includes what's being referred to as a "Consumer Privacy Bill of Rights."
The language is vague. The timeline to completion is long. The guidelines, for now, are "opt-in" for organizations. All true.
But folks? The glory days of scraping and selling and repurposing customer data are over. The Oval Office has spoken on the issue of privacy and personal data, and its bill of rights is crystal clear: Tell me what you’re collecting, how you’re using it, protect it well, give me a copy, and give me a chance to correct it, delete it, or opt out entirely.
It has been a few years since Forrester delved deeply into the issues surrounding consumer privacy, and in that time, an awful lot has changed:
Facebook Connect, Google ID, Yahoo Identity, and Sign In With Twitter have emerged as a wholenew way of being recognized across a myriad of websites across the Net. As little as a decade ago, most adults online couldn’t have imagined the convenience of single sign-on.
At the same time, data capture methods have not only proliferated, they’ve become exceptionally sophisticated. Tactics like Flash-based cookies and deep packet sniffing surreptitiously collect behavioral data about online consumers, while loyalty and membership cards provide more insight into consumers’ purchasing habits at the line item level than ever before.
All that extra data is hard to protect without big changes to governance policies and technology stacks, and when data breaches happen, they're public and ugly.
Finally, legislators have forged ahead with regulations to protect consumer data. Europe's answer is the Data Protection Directive – a regulatory framework that governs the capture, management and use of consumer data, while in the US, congressional leaders, egged on by consumer advocacy groups, are introducing bills designed to limit data capture and to provide remediation in cases of data and security breach.
My Customer Intelligence colleagues and I, like many others, can't help but wonder how Carol Bartz's departure from Yahoo! is going to play out for the digital behemoth. Shar VanBoskirk's post last week summarizes Yahoo!'s current state, and I agree with her assessment that the company's assets are worth far more piecemeal than as a whole. As she points out, Yahoo!'s advertising capabilities are one of its greatest assets.
But from a CI perspective, so is its OpenID-based Yahoo! ID, which enables single sign-on (SSO) functionality for its more than 273mm global email-service users. Now, while a relative minority of those users actually take advantage of Yahoo! ID across the web today, the demand for SSO and federated identity is growing such that Yahoo!'s broad user base and consumer trust is already tremendously valuable.
So, who are the "unusual suspects" that have the most interesting opportunity for acquiring Yahoo!'s personal services/communications/identity management business?
Wal-Mart. Yep, you read it right. Wal-Mart, despite being the world's largest retailer, continues to lose digital market share to Amazon, and it clearly wants to change that. Last month, it restructured its online organization to better align with its brick-and-mortar presence and just this week announced plans to to buy "key assets" of mobile ad targeter OneRiot. Yahoo! ID would give Wal-Mart the single sign-on capability that it doesn't have today, with some nice benefits over Amazon's closed-ecosystem identity service. And Yahoo!'s user base is, demographically speaking, a slightly better fit for Wal-Mart than other major big-box retailers.
“There is no enterprise — the work we do is a collection of people that dynamically changes through a mix of organization control.” That’s what I heard from one venerable old construction company while working on my new research report, Protecting Enterprise APIs With A Light Touch. I wanted to investigate how enterprises are using and securing lightweight RESTful web services, and in particular to figure out the problems for which OAuth is well suited. (You might recall my request for feedback in a prior post.)
What I found was that forward-thinking enterprises of many types – not just hip-happenin’ Web 2.0 companies – are pushing service security and access management to the limit in environments that can truly be called “Zero Trust,” to use John Kindervag’s excellent formulation. This particular firm dynamically manipulates authorizations to control access to a variety of innovative lightweight APIs on which the whole company is being run, not actually distinguishing between “internal” and “external” users. They’ve kind of turned themselves inside-out.