Identity Protocol Gut Check

Protocol gut check. That's how someone recently described some research I've got under way for a report we're calling the "TechRadar™ for Security Pros: Zero Trust Identity Standards," wherein we'll assess the business value-add of more than a dozen identity-related standards and open protocols. But it's also a great name for an episode of angst that recently hit the IAM blogging world, beginning with Eran Hammer's public declaration that OAuth 2.0 -- for which he served as a spec editor -- is "bad."

As you might imagine, our TechRadar examination will include OAuth; I take a lot of inquiries and briefings in which it figures prominently, and I've been bullish on it for a long time. In this post, I'd like to share some thoughts on this episode with respect to OAuth 2.0's value to security and risk pros. As always, if you have further thoughts, please share them with me in the comments or on Twitter.

Read more

Zero Trust Identity: Go From "Identity-As-A-Service" To "IAM-As-An-API"

I just love the theme of our upcoming Forrester Security Forum (Las Vegas in May, and Paris in June -- check out Laura Koetzle's definitive blog post). Leapfrog Your Global Competition. Rethink Security; Run At The Threat. There's never been a better time to take a deep breath and rethink how security can contribute to business savvy and agility. The "Zero Trust Identity" report I'd telegraphed in my previous post on API access control is now out, and it's consonant with this theme. I found that if enterprises want to be nimble and secure in getting value out of mobile, cloud, and consumerization trends, they're going to have to get over some bad "unextended enterprise" habits, such as tight coupling to authentication functions.

Read more

A New Venn Of Access Control For The API Economy

Cloud providers and many federated IAM practitioners are excited about OAuth, a new(ish) security technology on the scene. I’ve written about OAuth in Protecting Enterprise APIs With A Light Touch. The cheat-sheet list I keep of major OAuth product support announcements already includes items from Apigee, Covisint, Google, IBM, Layer 7, Microsoft, Ping Identity, and salesforce.com. (Did I miss yours? Let me know.)

OAuth specializes in securing API/web service access by a uniquely identified client app on behalf of a uniquely identified user. It has flows for letting the user explicitly consent to (authorize) this connection, but generally relies on authorizing the actions of the calling application itself through simple authentication. So does the auth part of the name stand for authentication, authorization, or what? Let’s go with “all of the above.”

However, OAuth is merely plumbing of a sort similar to the WS-Security standard (or, for that matter, HTTP Basic Authentication). It doesn’t solve every auth* problem known to humankind, not by a long shot. What other IAM solutions are popping up in the API-economy universe? Two standards communities are building solutions on top of OAuth to round out the picture:

Read more

Strong Authentication: Bring-Your-Own-Token Is Number Three With A Bullet

In approaching the research for my recently published TechRadar™ on strong authentication, at first I struggled a bit with overlapping concepts and terminology (as can be seen in the lively discussion that took place over in the Security & Risk community a few months back). The research ultimately revealed that form factor matters a lot -- smartcards in actual card form, for example, have some properties and use cases distinct from smart chips in other devices. So smartcards became one of the 14 categories we included.

The category that quickly became my favorite was "bring-your-own-token." BYOT is Forrester's term for the various methods (sometimes called "tokenless") that leverage the devices, applications, and communications channels users already have. The classic example is a one-time password that gets sent in an SMS message to a pre-registered phone, but we see emerging vendors doing a lot of innovation in this space. You can get a surprising amount of risk mitigation value from this lightweight approach, in which you can treat provisioning not as an expensive snail-mail package, but as a mere self-registration exercise. In a world where hard tokens and smartcards prove themselves to be, shall we say, imperfectly invulnerable, lightweightness can have a value all its own. In fact, BYOT showed up just behind these two venerable methods in the "significant success" trajectory on the TechRadar.

Read more

More Holiday Cheer: SCIM Cloud Provisioning Standard Reaches A Big Milestone

I've blogged and published research before about the emerging Simple Cloud Identity Management (SCIM) standard. The SCIM group has just approved Version 1.0. No, it's not your imagination: important standards around loosely coupled identity management really are being developed, tested, and deployed at a faster rate than ever before.

What does this new pace mean for security pros? New identity protocols can be disruptive to large enterprises that have already deployed older solutions, but these new solutions will enable IT organizations to reduce costs and improve agility in managing access to/from smaller partners and customers that don't have the means to deploy the heavy stuff. That makes access control easier to achieve in a Zero Trust world. (Andras Cser and I touch on the theme of "leaner and cleaner" identity protocols in our just-published Identity And Access Management: 2012 Budget And Planning Guide, and I do a deeper dive, assessing the future of SAML and the business value of newer federation protocols, in OpenID Connect Heralds The "Identity Singularity".)

Read more

Fast Cloud Identity Provisioning

Back in July, I wrote about a new RESTful API that cloud providers and provisioning vendors are working on for doing identity provisioning and synching: Simple Cloud Identity Management, or SCIM (like the milk). At last week's Internet Identity Workshop -- only five months after this draft spec made its formal debut! -- I had a chance to see the SCIM developers' live interop session in action. The interop saw successful participation by the likes of Cisco, Ping Identity, Sailpoint, salesforce.com, Technology Nexus, and UnboundID, with user accounts being securely created and torn down rapid-fire over the ether.

What's more, in talking with a more traditional on-premises identity vendor later in the week, I discovered that they loved how SCIM was shaping up, and planned to check it out ASAP as a way they could expose their own provisioning functionality.

In this Zero Trust world, with perimeters melting all over the place, I'm seeing signs that this lightweight API trend for IdM functionality is only going to accelerate. What do you think? If you're coming to Forrester Security Forum in a couple of weeks, I hope you'll grab me for a conversation about how this trend impacts your plans.

Categories:

Can You Join The API Economy While Maintaining Top-Notch Security?

If anything exemplifies the extended enterprise, it's the notion of the "API economy": Unlocking value in your organization's unique data and services by publishing open APIs (application programming interfaces) for access by third parties. As Laura Koetzle notes, business leaders today are prioritizing growth above all -- and fostering a third-party developer ecosystem is becoming a great way to boost revenue. Best Buy, eBay, and USA Today are examples of companies with APIs and external developer communities.

But, but, but...just how secure is an open API? Especially if you, the security professional, can't fully control these external developers' actions? This is where it gets exciting, because security and identity-based access control are enablers of these new business opportunities. After all, an API of this sort is essentially a digital product whose use must be metered.

Many organizations in this position are turning to the OAuth technology to solve a host of security challenges that arise from opening up APIs. I'm excited to be bringing the latest in OAuth business cases, adoption news, and recommendations to my Forrester Security Forum track session on "Securing And Identity-Enabling Monster Mashups." Hope to see you at the Forum November 9-10 in Miami!

(Got a great API security story, or maybe some questions? Don't wait till November; feel free to share in a comment here, or ping me on Twitter using the #FSF11 hashtag.)

In Cloud-Friendly Web Services Security, "There Is No Enterprise." Wait. What?

“There is no enterprise — the work we do is a collection of people that dynamically changes through a mix of organization control.” That’s what I heard from one venerable old construction company while working on my new research report, Protecting Enterprise APIs With A Light Touch. I wanted to investigate how enterprises are using and securing lightweight RESTful web services, and in particular to figure out the problems for which OAuth is well suited. (You might recall my request for feedback in a prior post.)

 What I found was that forward-thinking enterprises of many types – not just hip-happenin’ Web 2.0 companies – are pushing service security and access management to the limit in environments that can truly be called “Zero Trust,” to use John Kindervag’s excellent formulation. This particular firm dynamically manipulates authorizations to control access to a variety of innovative lightweight APIs on which the whole company is being run, not actually distinguishing between “internal” and “external” users. They’ve kind of turned themselves inside-out.

Read more

Participating In Markets For Portable Identities In The Cloud: What’s The Coin Of Your Realm?

Many IT security pros are moving toward disruptive new authentication and authorization practices to integrate securely with cloud apps at scale. If you’re considering such a move yourself, check out my new report, The “Venn” of Federated Identity. It describes the potential cost, risk, efficiency, and agility benefits when users can travel around to different apps, reusing the same identity for login.

Aggregate sources of identities are large enough now to attract significant relying-party application “customers” – but the common currency for identity data exchange varies depending on whether the source is an enterprise representing its (current or even former) workforce, a large Web player representing millions of users, or other types of identity providers. These days, the SAML, OAuth, and OpenID technologies are the hard currencies you’ll need to use when you participate in these identity markets. You can use this report to start matching what’s out there to your business scenarios, so you can get going with confidence.

What The White House Cybersecurity Proposal Means: Don't Miss Jonathan Penn's Take

If you're in the habit of checking out only the Security & Risk Professionals blog, you might have missed Jonathan's takeaways over on the Vendor Strategy side: What The New White House Cybersecurity Proposal Means For The IT Security Industry, Businesses, And Consumers. Interestingly, he puts consumers in both the "winners" column and the "losers" column. Read the post to see why, and feel free to share your thoughts with us on these matters!