Termination of Google Apps SSOCircle Accounts

English on March 10th, 2015 No Comments

Google Apps integration into the SSOCircle of Trust was started in 2007 and has been one of the first active Google SAML integration in that time. Our intention was to showcase a working demo for SAML single sign on.

We have now received an email from Google which states that the Google Apps ISP Partner Edition, that we are using with the SSOCircle.com domain, will be terminated. See the email extract below:

Google >>>
As part of Google’s integration plans, we have elected to discontinue providing the Partner Edition Services going forward. As provided in the Agreement between Google Inc. and ssocircle.com, this letter serves as your formal notice that the Services will not be renewed, and our Agreement with you will terminate …
<<<

What this means to you:

Your email account @ssocircle.com is closing on 10th April 2015. After this date, you will no longer have access to this mail account nor will you be able to send or receive email with this account. In addition, if you are using other Google/ Google Apps services (e.g. Calendar, Drive, Documents …) with this account, action is required from you.

Please note: The termination of service does not impact your account at SSOCircle. The account at the IDP will still be available and can be used for SSO to other services.

We see currently no option to provide free mail or calendar services and we therefor have no plans to to migrate to other Google products or other service providers. We will not migrate emails, calendar data or other content nor do we plan to forward emails. Please download or migrate your content before 10th April 2015.

We regret any inconvenience this may cause. If you have questions or have other ideas please contact us.

Your SSOCircle Team

Tags: , ,

Enterprise Identity Bus Part 1

English on February 19th, 2015 No Comments

With the latest Identity Server 5.0.0 release WSO2 promotes the product as an “Enterprise Identity Bus” hinting at its flag ship product the “Enterprise Service Bus” (WSO2 ESB). The Identity Server (WSO2 IS), whose strength has always been the entitlement engine with decent XACML support and the availability of thrift interfaces together with WSO2′s 100% open source strategy, might be considered as an identity and access management product by companies and internet communities.

In this article we would like to leverage recent project experience with WSO2 IS to discuss how exactly the identity bus feature of WSO2 looks like and how you could use WSO2 to replace an existing web access management (WAM) product and leverage the recently hyped Social Login feature.

From application centric identity silo to the identity bus: The following diagrams visualize the different architectures for two example applications, SHOP and CRM, with edges simulating authentication proofing relations (e.g user submits his credentials to Application which verifies the credentials of the user).

identity-hub-blog-1

arrow

identity-hub-blog-5

Let us consider the following scenario and requirements: Company X wants to have single sign on between their in-house web applications, employees use cloud based services and appreciate convenient access to applications like Office365 or Zendesk. The company also wanted to provide controlled access to their own services for customers and they are building a growing internet community, which should attract users with easy registration and login processes powered by social login via Google, Facebook and the like.
Sounds like interesting requirements? That’s not all. The company is a modern and innovative technology firm. In identity tech speak that means that applications offer and use APIs protected by OAuth 2.0. But how can all this requirements be composed to an overall picture?

Breaking up the requirements:

A. Single Sign On for in-house applications: A classical WAM discipline involving policy agents installed into application servers, web servers and/or reverse proxies. These agents act as a policy enforcement point (PEP) which check for authentication, redirect to a central login application for authentication, validate sessions and access policies (authorization).

B. Account federation to cloud services and to identity providers provided by the companies customers allowing SSO to cloud services like Office365 or the in-house applications.

C. Enable community users to register and sign in with their own social login (Google, Facebook …) to internet accessible in-house applications and probably to cloud services integrated into the community environment (e.g. Zendesk for customer services).

Going with the approach described here, we need to look into the integration details. Adhering to standards might be a good way to reduce efforts and integration pain. In today’s identity world the following protocols need to be considered: SAML the de facto standard for SSO in the enterprise as well as for many cloud services and OpenID Connect, based on OAuth 2.0. The latter becoming more and more prevalent in the consumer/social login context. For API access OAuth 2.0 is the first choice.

We broke up the article into different parts, each describing the solution for one of the requirements. If you like a sneak preview, watch the demo video:

Tags: , , , ,

Enterprise Identity Bus Part 2

English on February 19th, 2015 No Comments

The first step: Integrating in-house applications into a SSO system leveraging WSO2 as the identity server.

In the last article we introduced the project requirements to get rid of an application identity silo environment and to introduce an identity hub infrastructure. In this blog we are going to tackle requirement A.

A. Single Sign On for in-house applications: A classical WAM discipline involving policy agents installed into application servers, web servers and/or reverse proxies. These agents act as a policy enforcement point (PEP) which check for authentication, redirect to a central login application for authentication, validate sessions and access policies (authorization).

identity-hub-blog-2-enterprise-sso
Searching through the WSO2 web site and documentation, you will quickly realize that WSO2 does not provide much help here. There are SAML agents written in Java which can be used with all WSO2 products and other J2EE web applications. But using access policies powered by the WSO2 Identity Server XACML entitlement engine is only available as something like an experimental feature. And you will be totally left out in the rain integrating content running on web servers or in reverse proxy architectures. That being said there is definitively the need to surf the internet and have a look for other options available.

If you are looking for SAML there are some community Apache modules available. In our use case we decided to go with OpenID Connect for in-house applications because it is based on OAuth 2.0 and as such can be easily used to provide OAuth access tokens to applications protected by a reverse proxy (e.g. through headers). We found open source mod_auth_openidc, developed by Hans Zandbelt / Ping Identity, licensed under Apache license.

Let’s continue the road: All we needed to do was to let the Apache module speak OpenID Connect to the WSO2 Identity Server. Sounds like a quick thing – we are using standards – but turned out to be work mainly due to the incomplete and buggy OpenID Connect implementation in WSO2 Identity Server 5.0.0. Several code modifications were necessary at the server side and as a side effect in the Apache module. Having done that we had a working SSO between the Apache proxies and the WSO2 IS but no authorization. We added the option to configure a “Require entitlement” in addition to the “Require valid-user” and “Require claim” directives already available in mod_auth_openidc. When this directive was activated the agent queries the WSO2 SOAP XACML entitlement interface checking the authorization for specific resources.
With that in place we were able to do single sign on between the in-house applications and protect the URLs with XACML formulated policies, centrally managed at the WSO2 Identity Server.

Requirement A accomplished. Read part 3 of this article for other requirements.

Tags: , , , ,

Enterprise Identity Bus Part 3

English on February 19th, 2015 No Comments

The second step: Account federations with cloud services and identity providers run by customers

In the first article we introduced the project requirements to get rid of an application identity silo environment and to introduce an identity hub infrastructure. The second part dealt with building a Single Sign On infrastructure leveraging WSO2 Identity Server and OpenID Connect apache agents. In this blog we describe the approach for requirement B:

B. Account federation to cloud services and to identity providers provided by the companies customers allowing SSO to cloud services like Office365 or the in-house applications.

identity-hub-blog-4-iidentity-hub

Interoperating with cloud services and especially with services provided by customers is different from handling in-house applications: You barely have a choice and need to work with what the services offers or the customer wishes. As a result you will need to cope with different standard protocols or derivatives of it. In our scenario we had to integrate mainly leveraging SAML 2.0 with varying details: different attributes exchanged, signed elements, etc – facets SAML 2.0 generously allows.

That point of the story turned out to be quite easy to do. SAML is a well-established protocol and obviously old enough so that involved identity providers and service providers are compatible. The challenge arises if you want to dynamically (just-in-time) provision users into your system or establish dynamic account linking on profile attributes. Fortunately WSO2 IS 5.0.0 introduced flexibility with several configuration options.

Making attributes available via OpenID Connect UserInfo endpoint requires some puzzling with claim mappings but at the end it worked.

Requirement B accomplished. Read part 4 of the story for solving requirement C.

Tags: , , , ,

Enterprise Identity Bus Part 4

English on February 19th, 2015 No Comments

The third step: Enabling easy community registration and sign-on.

In the first article we introduced the project requirements to get rid of an application identity silo environment and to introduce an identity hub infrastructure. The second part dealt with building a Single Sign On infrastructure leveraging WSO2 Identity Server and OpenID Connect Apache agents. The third part described account federations with cloud services and identity providers run by customers. In this blog we approach the requirement C:

C. Enable community users to register and sign in with their own social login (Google, Facebook …) to internet accessible in-house applications and probably to cloud services integrated into the community environment (e.g. Zendesk for customer services).

identity-hub-blog-5

Social authentication or sign-in allows users to access a service by using their Facebook, Google … accounts. No need to remember a new password or user name for the service. Also dynamic user creations eliminates or simplifies the annoying registration process filling out user profile forms, remembering password reset questions etc. Sounds like a good idea – integrating social logins had been a little cumbersome as most services used proprietary protocols or OAuth 2.0 for that. OAuth 2.0 flows are good for authorizing access to user data, but lack processes for transferring identity information. As a result the services implemented their proprietary add-on to the OAuth standard.

In the last months more and more of these services switched to OpenID Connect which builds on OAuth 2.0 but adds an extra identity layer. WSO2 Identity Server has predefined authentication options called “Federated Authenticators” for OpenID Connect, SAML and the derivatives from Facebook, Google, Yahoo Microsoft and some other possibly outdated standards. Making the Identity Bus reality: translating the in-house SSO protocol to the different languages of the multi-protocol-speaking real world.

Requirement 3 accomplished.

One word about provisioning. WSO2 Identity Server has support for SCIM provisioning. Currently not many services support that protocol but in the future a provisioning standard SCIM might play an important role especially when user life cycle processes involving de-provisioning will be tackled.

If you have questions do not hesitate to contact us. And don’t forget to watch the video showcasing the identity bus in action:

Tags: , , , ,

Do you speak SAML? Google Apps, Salesforce and SAP Hana Cloud tested

English on December 23rd, 2014 No Comments

In this article we compare the SAML service provider implementation of three popular cloud services:

  • Google Apps (which includes GMail, Google Drive and Docs, Calendar)
  • Salesforce
  • SAP Hana Cloud

Our testing procedure includes verification of the service provider compliance to the SAML 2.0 specification and checking the handling of signature validations.

Abstract:
Secure Assertion Markup Language (SAML) today is the main standard used for signing in to Cloud Services with a single authentication procedure (typically username/password). A correct implementation of the standard is crucial for security. Failing to do so may compromise security and lead to information loss.
Unfortunately SAML 2.0 is very complex and probably over-engineered. Leaving the developer too many degrees of freedom to implement only parts of the security measures envisaged by the standard. The risk even aggravates as the implementation might look like they are functioning correctly: single sign on works and some of the checks against signature or timestamps are processed. But on diving a little deeper security issues or nonconformity will become evident.
In our research we tested Google Apps, Salesforce CRM and SAP Hana Cloud as representatives of modern Cloud Service providers which provide Single Sign On integration with SAML 2.0.

Research method: Tool to run automated tests leveraging the SSOCheck API.

Test cases were divided into different testing areas:

  1. Replay
  2. General XML
  3. SAML Response Message
  4. SAML Assertion
  5. Digital Signature

Whereas the tests of area 3 and 4 typically refer to the components of the SAML documents as illustrated in the following picture.
ssocheck-test-g-sf-s

Results:
SAP performed best in all categories. Salesforce ranked second. Google was vulnerable to assertion replay and almost completely ignored the response part of the SAML message and several attributes of the assertion.

We informed the security teams of the tested companies about the results before publishing the article. All companies replied in acceptable time. Some involved their development departments which tried to reproduce the tests and some were arguing with risk based approaches. Salesforce being the fastest and most communicative respondent. SAP’s answer was the slowest but the most meticulous. Google took some time to respond but over time a very interesting discussion evolved with participation of several members of the security and product team which leads to the enrollment of product patches. Most parties leveraged SSOCheck tool to understand and reproduce the findings.

The following table summarizes the results found.
Summary Table (% passed tests)

Test Google Apps Salesforce CRM SAP Hana Cloud
Replay 0 100 100
General XML 100 100 100
SAML Response 16.7 66.7 83.3
SAML Assertion 50.0 69.2 76.9
Digital Signature 100 100 100 (*)
Total 48.5 82.7 88.5


*) SAP Hana Cloud was the only service provider who accepted a SAML response with an evil assertion inserted before the valid assertion. We rated the test as passed since the SAP implementation seemed to totally ignore the evil assertion and therefore could not be used to attack the service.

Total results were calculated as a weighted average of the group results. Giving the SAML assertion tests a weight of 2, general XML tests a weight of 0.5 and the rest a weight of 1.

Detailed test result table:

Test Google Apps Salesforce CRM SAP Hana Cloud
1 Unmodified SAML – as a positive protocol test
2 Replay Attack – SAML protocol message replayed
3 Invalid SAML Protocol Namespace
4 Invalid SAML Assertion Namespace
5 SAML Response Status Code is set to RequestDenied
6 SAML Response Issuer is invalid
7 SAML Response IssueInstant is set to a value in the future
8 SAML Response InResponseTo is invalid
9 SAML Response Destination is invalid
10 SAML Response Version is invalid
11 SAML Assertion Issuer invalid
12 SAML Assertion IssueInstant is set to a value in the future
13 SAML Assertion Version is invalid
14 SAML Assertion Subject without NameID
15 SAML Assertion subject NameId format set to an unknown value
16 SAML Assertion SubjectConfirmation Method invalid
17 No SubjectConfirmationData element in the SAML Assertion sent
18 SAML Assertion InResponseTo is invalid
19 Recipient in SAML Assertion SubjectConfirmationData is invalid
20 Address in SAML Assertion SubjectConfirmationData is invalid
21 NotOnOrAfter in SAML Assertion SubjectConfirmationData is set to a value 1h into the past
22 Two Assertion SubjectConfirmationData elements whereas the first is the valid one and the second is a wrong value.
23 Two Assertion Subject Confirmation Data elements whereas the first is the wrong one and the second has the correct value.
24 SAML Assertion Condition is inserted which is unknown to the service provider
25 SAML Assertion Condition NotBefore is set to a value of 1h in advance.
26 SAML Assertion Condition NotOnOrAfter set to 1h in the past.
27 Syntax test to check that the SP supports the OneTimeUse element.
28 AudienceRestriction element in SAML Assertion Condition is empty
29 AudienceRestriction element in SAML Assertion Condition is set to a wrong value
30 Two values in one SAML Assertion AudienceRestriction element. The wrong value is the first
31 Two values in one SAML Assertion AudienceRestriction element. The wrong value is second.
32 Two AudienceRestriction elements in SAML Assertion. The first elment holds the wrong value
33 Two AudienceRestriction elements in SAML Assertion. The second elment holds the wrong value
34 Two AudienceRestriction elements in SAML Assertion. Both hold two audience values in different ordering
35 AuthnStatement is missing in SAML Assertion
36 Sets the SubjectLocality of AuthnStatement to a non valid IP address
37 AuthnInstant timstamp of Assertion AuthNStatement is moved one day into the future.
38 AuthnInstant timstamp of Assertion AuthNStatement is moved one day back in time.
39 SessionNotOnOrAfter timstamp of Assertion AuthNStatement is set one day in the past.
40 AuthnContextClassRef of Assertion AuthNStatement is set to “unsepcified” and should be declined by the service provider.
41 Multiple Signature tests: signature exclusion
42 Multiple Signature tests: mangled signature
43 Multiple Signature tests: wrong signature key
44 signature wrapping variants

Conclusion:
All tested Cloud Services did not fully comply with the SAML standard.

SAP and Salesforce did not disclose any severe problems which could lead to a significant exploit. Non conformity to the specification might lead to the non-functioning of specific use cases but can be justified in order to achieve broader compatibility with IDP products or might be argued with risk based approaches.
Google Apps SAML implementation revealed several issues which could be leveraged by an attack scenario. The good news is that Google has rolled out fixes for these findings which we were able to verify.
We especially thank the Google team for a valuable interaction and cooperation.

If you have questions or comments please let me know. We are also looking for other SaaS services, which might be of general interest to run the tests against.

Tags: , , , ,

Terms Of Use updated

English on August 24th, 2014 No Comments

This is to announce a change in the SSOCircle Terms of Use which might affect both existing accounts and new user registrations to the public IDP. From now on we might block registrations with specific email addresses (for example disposable email addresses)  and we will limit (currently 3 – subject to change) the number of user accounts registered to a single contact address.

Why the change? In the last months we are seeing growing numbers of registrations either used for regular training classes and/or large scale quality assurance test runs. Although we advocate these kind of usage, we consider it a matter of fairness for these companies to purchase either our hosted IDPee offering or to subscribe to SSOCheck API private. Both are offering a hosted tenant where any number of users might be created. SSOCheck Private API even adds the opportunity of running additional compliance and security tests against SAML service provider deployments.

This decision was made to protect the investment of our paying customers and to keep the public IDP running as a free service – without annoying advertising.

Please note: Existing accounts not corresponding to the Terms of Use should be changed to be compliant. Non-compliant user accounts will be inactivated in the next days.

If you have questions or comments, please contact us.

Tags:

Impressions from European Identity & Cloud Conference 2014

English on May 22nd, 2014 No Comments

What are the hot topics this year? What will be announced dead? These are the questions always accompanying KuppingerCole’s European Identity & Cloud conference which was held for the 8th time from 13.-16. May. The conference gathered more than 600 visitors from 35 countries, 150 international expert speakers and 50 exhibitors discussing about the Internet of Things and the agile, connected business. After years of consolidation in the IAM industry it seems that this year more software and service vendors populated the floor space in the Dolce Ballhausforum in Munich. Almost half of the exhibitors were new compared to last year, demonstrating that there is still a lot of movement in the market and space for new players and segments – worth mentioning the application security testing companies exhibiting this year at EIC.

No big surprise that the NSA scandal, Heartbleed and their implications run like a common thread to many of the presentations as it deeply impacts the awareness for privacy issues in society and the information security business itself. It clearly demonstrates to the information security industry and their customers that protection from today’s complex threads cannot only be accomplished by technical standards and trust in the accurate, uninfluenced implementation in software and hardware products.

And what was killed? Was it the absence of the most provoking speakers like the highly esteemed Craig Burton and Fulup ar Foll? This year it was noticeable the speakers were more reserved and cautious in their statements. Martin Kuppinger said: “If something is declared to be dead, it would be SIEM” but not without adding the next sentence that “Real-time Security Intelligence” is the next big thing. Ian Glazer former Burton/Gartner analyst and now with Salesforce, one of the shiny characters at the conference, killed IDM. Identity management dead? Astonishing announcement in an Identity Conference. But …, he only killed IDM in order to save it. According to him the “new” IDM must a) naturally integrate b) be part of the business and c) be ready for the real world. IDM must evolve away from using Excel and CSV as the most important IDM tools and away from hierarchical modelling of relationships. Although not directly IDM related, I would declare the iPad for dead. To me it was obvious that, compared to past years, most attendees were not using tablets to take notes but their more or less conventional laptops.

Like every year the conference lasted three days from Tuesday to Thursday and an additional workshop day on Friday. As always the agenda was fully packed from 8:30 to around 19:30. With up to 5 parallel tracks it is difficult to decide where to go. The selection of topics described here depends on my personal choice.

From four parallel workshops at the first day I visited the Kantara Initiative Workshop on “Consumer Identity – International Use Cases and Approaches” moderated by Joni Brennan and the OpenID Foundation Workshop on “Enterprise Application of OpenID Connect, Mobile Apps SSO, Account Chooser”. The Kantara Workshop described the evolution of today’s identity management requirements from perimeter IAM – the employees – to perimeter less federation and consumerization. The workshop introduced the Kantara certification program: “Identity Assurance Accreditation and Approval Program” which provides a trust status listing service, provider registry and white listing. Maciej Machulak showed a demo of UMA – user-managed access. The consent pages are similar to OAuth but UMA does not necessarily require a close coupling between resource and authorization server and other users are able to request access to personal data of the resource owner. For an overview on use cases visit the Kantara UMA case study page.
The OpenID Foundation Workshop held in parallel centered on the question of the adoption of OpenID Connect. Microsoft Azure Active Directory will support OpenID Connect. Yahoo and Google will support OpenID Connect next year deprecating the OpenID 2.0 and OAuth 2.0 userinfo and scopes endpoint. Watch Google’s migration timetable. Interesting to note: Although OpenID Connect standard was finalized in February 2014, the single logout profiles are not. A discussion around that topic was started in the workshop gathering the opinion of participants about three approaches, which need to balance cheap and easy implementation versus reliability and completeness:

  1. The current logout mechanism in OpenID spec with JavaScript listening for state change at the client. A pattern optimized for Ajax applications but has cons because active Javascript listening is required and it doesn’t work if the browser tab is not active.
  2. Use of a logout page with embedded images/iframes linking to the relying parties – the approach Deutsche Telekom is using. The advantage here is the solution’s simplicity which does not need Javascript. Bad is that the IDP has to track active sessions, it does not work when the browser is closed and last but not lease you need these ugly logout pages.
  3. Notification over the back channel. Probably the completest approach described here. It works even when the browser is closed. The main disadvantage is that the relying party needs a logic to identify sessions by an explicit identifier which causes scaling issues.

As usual the conference itself started with an afternoon of keynotes. One of the highlights is always Martin Kuppinger’s presentation. He started with a brief history in IT which leads to today’s agile, connected business and the Identity of Things which will be the hot topics of next years. He came up with his gloomy prognosis “Waiting for the disaster …”. To quote him: “Something will happen: hacking the connected car, running out of water and power and/or revealing your secrets.” Raising awareness that privacy needs security and vice versa. The title of his top trends slide was “The Digital Future Buzzword Bingo”:

  • Application Security Infrastructure
  • Information-Centric Security
  • Domain-Independent Security
  • Secure Information Sharing
  • Layered Security and the next generation Firewalls & AVs
  • Realtime Security Intelligence
  • Software Defined Environment/Computing Infrastructure
  • Secure IoEE (Internet of Everything and Everyone)
  • Future of Authentication & Authorization
  • Cloud IAM
  • Future of eMail Security & Privacy
  • Life Management Platforms

Another highlight of the conference was the presentation of Ladar Levison, the founder of Lavabit, talking about building a system that is secure against attacks from an attacker with quasi unlimited computing power and cryptographic expert pool. For more information on the Dark Mail alliance of Silent Circle and Lavabit consult the web site http://darkmail.info. The architecture and protocol specifications are currently under review and will be published by the end of summer. Quoting Ladar: “Publishing date depends on how many protocol holes will be found in the review – but he hopes he will not get so paranoid that he will never release it”. Interesting to watch how the technology will be adopted in the coming years.

One of my personal highlights in day 2 beside the identity award ceremony was the presentations of Paul Fremantle, the founder of WSO2, who propagated the Enterprise Identity Bus Model as the solution to replace the failed single monolithic identity system. The tasks of the identity bus are to bridge between tokens (SAML, OAuth 1.0/2.0, OpenID, OpenID Connect), claims and claim dialects and provisioning SPML, SCIM, Salesforce, Google and other JiT variants.

In the evening KuppingerCole presented the winners of “The European Identity & Cloud Awards 2014” for the 7th time – this year only in 6 categories:

  • Best Cloud Security Project: NXP Semi Conductors
  • Best Access Governance and Intelligence Project: Banca Intesa Beograd
  • Best IAM Project: UK Ministry of Defense
  • Best Innovation / New Standard: Kantara Initiative: UMA User Managed Access (OIDC finalized this year, but it already received the award in 2012
  • Special Award: Best innovation for Security in the API Economy: IETF with JWT/JOSE
  • Lifetime Achievement Award: Ann Cavoukian for Privacy by Design
  • Award details at the KuppingerCole web site: http://www.kuppingercole.com/article/award2014. For Privacy by Design please read the EIC presentation https://www.oasis-open.org/presentations/eic-2014-dawn-jutla-may-12.pdf.
    On day 3 one of the track topics was around adaptive and risk based authentication. The FIDO http://fidoalliance.org/ alliance was founded in February 2013 by 6 members and expanded to 122 members today, clearly demonstrating the need and interest in standardizing authentication. FIDO’s mission is to change the nature of online authentication by developing and submitting technical specifications as well as operating programs to ensure the worldwide adoption. Current specification are: UAF – Universal Authentication Framework and U2F – Universal 2nd Factor which can be downloaded from http://fidoalliance.org/specifications/download.

    Last but not least it is worth saying the European Identity & Cloud Conference again was a success and well organized by the KuppingerCole team. Next year’s conference will be held from 5th-8th May 2015 at the same location.

Tags: , ,

Infosecurity Europe 2014

English on May 6th, 2014 No Comments

Infosecurity Europe 2014 held on 29. April to 1. May in London – the gathering of information security professionals. It is the largest event of this type in Europe.

You made it to London and despite the Tube strike during the days of the event you reached Earls Court. On entering the conference center you are overwhelmed by more than 325 exhibitors representing the huge portfolio the information security industry provides. Infosecurity Europe is mainly a fair, companies of all sizes showcasing their products in on-stand presentations and creative set-up’s like Pen Test Partners “Security Kitchen” or Ping Identities Lego Mosaic “Keep Identities where they belong”.

But Infosecurity Europe is more than just that. Infosecurity offers keynote presentations, workshops and other educational courses.

The subheading “Security as a business enabler – are you fit for 2014?” highlights the growing awareness of security in organizations today. After NSA scandal and Heartbleed bugs, not only tech guys but business leaders painfully realize the limits of technology and the false sense of security.

Following up this context the Ponemon Institute and Thales e-Security presented the “Global Encryption Trends Study” which surveyed 4.802 individuals across multiple industry sectors in eight countries: US, UK, Germany, France, Australia, Japan, Brazil and for the first time Russia. The research examined the evolvement of the use of encryption and the security posture of organizations during the last 9 years.

Citing from the report the big encryption trends over nine years are

  • Steady improvement in the security posture of companies
  • Increase in the use of encryption as part of the Enterprise Strategy
  • Business units getting more influence in choosing and deploying encryption
  • Importance of compliance as the main driver decreases versus privacy considerations – although there is a big difference from country to country
  • Key management continues to be a challenge
  • Spending in encryption and key management increases

Next year Infosecurity Europe will be held from 02-04 June 2015 at a new location “Olympia”.

Tags:

Impressions from European Identity & Cloud Conference 2013

English on May 26th, 2013 No Comments

Big Data, life management platforms, extended enterprise++, fusion drive, dead standards and  identity Silo relaunched. European Identity & Cloud Conference 2013 had lots of new and old topics. The 7th EIC was held for the 3rd time in the Dolce Ballhausforum from 14-17th May, gathering many digital identity thought leaders and making Unterschleissheim the Identity capital of Europe or even the World.

As always the conference was well organized in a pleasant environment with a noticeable Bavarian touch. Exhibitors and visitors from 33 countries, 5 parallel tracks and 150 speakers gave insight into new trends in identity, access management and cloud computing. The number of visitors were slightly increasing compared to last year, with end user representing the majority of visitors now.

As usually the conference started with some half day pre-workshops, continued with 2 ½ days of tightly packed conference and an additional workshop day at the end. KuppingerColes team of analysts again was growing with Peter Cummings and Rob Newby, proven experts with practical project implementation experience, joining the team.

As known from previous years the conferences started with a series of keynotes from sponsors, customers and academics. The first keynote delivered by Martin Kuppinger speaking about identity and cloud trends and on “setting the right direction”. The three biggest trends were called the “Computing Troika“, which is made of Cloud Computing, Mobile Computing and Social Computing. Information security receives more perception – it makes it to the 8′o clock news – and is now a business success factor. “Risk” is the common language which aligns IT and business viewpoints. Identity and privacy incidents can massively damage the reputation of a company. For that reason IAM is closer to business than ever. KuppingerCole BII is a business impact indicator for information technology which graphically indicates the value of a particular IAM technology in terms of: business alignment, business enablement, cost savings and compliance fulfillment. The KuppingerCole CIO GPS helps you finding your path in governance, privacy and data protection and security. It shows which technologies are the best for achieving specific targets. Another topic that he discussed was the API Economy also named the Extended Enterprise++, which reveals big potential for business enablement in the extended enterprise ( business partners and customers).

What were the main topics in the conference?

Data Privacy and Protection Laws
Due to Karsten Kinast, an attorney concentrating on data protection and IT law, joining the KuppingerCole analyst team, a stronger focus on legal topics were obvious. Presentations and discussions on EU regulation shaped one track of the conference.

Big Data

Another big topic was Big Data. What is meant by Big Data in the IAM context? There is no exact definition available – something that we already know from the “cloud”. According to a track session of Mike Small and Sachar Paulus it is s.th. like a big datawarehouse based on data that is publicly available. Big Data’s characteristics are

  • Volume: according to a IDC report: 2.8 Exabytes of data have been created in 2012
  • Velocity: lots of data events
  • Variety: can be text, voice, photos, video

Technologies used to deal with Big Data:

  • Hadoop: Map/reduce
  • Elastic map reduce (amazon)

And to deal with velocity:

And with variety:

  • natural language processing
  • Graph stores
  • XML stores

Why is Big Data handled in the conference? Transforming Big Data to smart data by analyzing and combining creates information and confidentiality problems. Existing access controls cannot be placed because you cannot define protection levels if you don’t know how and what will be processed and analyzed. Smart data becomes relevant as business can benefit from it by improving competitiveness or transforming products.

Life management platforms (LMP)

Life management platforms are the evolution of today’s social networks personal data stores. S.th. that might be the result of the user’s wish to get more control over his data. Something which becomes more prevalent in times were everyone has the feeling that too much of personal data gets collected by the Google’s, Facebooks etc and used for their consumption. In times where a SmartTV is able to track which programs you are viewing and Microsoft is reading your Skype messages checking hyperlinks that were sent, users see a need for a change. But the road to LMP also means a fundamental change in attitude from quick profit to trust.
According to a keynote from Craig Burton: the life management platform is not a product. It is extensible, API enabled with privacy by design (proxy façade). LMP is not a personal data store. LMP is not a social network. It follows the controlled push and informed pull with privacy controls. Controlled push means that a customer only provides controlled partial information of his data to a service which ensures privacy. Informed pull describes the concept where a user requests information from different sources guarantying confidentiality of the data towards competitors of the service. Issues on the success of LMPs arise with the need that vendors must cooperate in sensitive areas – a schema must be defined. According to Burton’s rule of thumb adding an element to a schema needs 1 year. Adding 10 elements lasts 10 years. A possible solution might be the Graph API. Microsoft cloud directory is schema independent.


European Identity & Cloud Awards:

One of the highlights of the conference is the Award Ceremony which was introduced with the 2nd conference and was now held for the 6th time. Martin Kuppinger noted that this year a significant number of nomination were available which emphasizes the increasing maturity in some of the IAM areas. He mentioned that a few years ago it was difficult to find successful mature projects.
This year prices in 11 different categories were awarded:

1. Best Identity and Access Management project
Winner: Virgin Media represented by Paul Edmondson from aurionPro SENA: “Infrastructure for the Olympic Games: WiFi for the tube with high numbers of authentications every time a train is entering a station”

2. Best Access Governance and Intelligence Project
Winner Deutsche Bank – represented by Carolin Pfeil: “Manage complex SOD rules in a very large institution”

3. Best access Governance and Intelligence Project II
Swiss Re represented by Daniel Frei: “Dynamic access management, based on DirectoryX and Axiomatics”

4. Best Cloud Security Project
Evry represented by Anne Bergersen: “Multitenant IAM infrastructure in the cloud which brings together a way of identifying customers and citizens in Norway. Based on NetIQ”

5. Best approach on improving governance and mitigating risks
Universtitäts Krankenhaus Hamburg-Eppendorf represented by Juerg Staebler – IBV Informatik AG:
“Privileged account management in health care industry leveraging Liebermann software. Now using one time password instead of plain text passwords. Project implemented in 3 days.”

6. Best innovation /new standard in information security
An obvious choice: OAuth 2.0 – the OAuth standard team represented by Mike Jones, Microsoft “new and influential it feels like it is around for a longer time”

7. Lifetime Achievement Award
Kim Cameron, Microsoft – Evidently being deeply affected by the reward.

8. Special award: Bridging the organizational gap between business and IT
Volkswagen Financial Services represented by Marek Bingel: “Well defining guidelines and processes which enables to move forward”

9. Special Award: Rapid and lean implementation of IAM/IAG
E.ON Global Commodities –represented by Carsten Mielke. “Governance project based on CrossIdeas”

10. Special award: Rapid re-design and re-implementation of the entire IAM
Schindler Informatik AG represented by Reto Tomasini and Gary Edward Stewart: “Identity provisioning infrastructure based on Quest Identity Manager”

11. Special Award integration of Provisioning and Access Governance in a complex banking environment
HypoVereinsbank represented by Ulrich Haumann: “Provisioning combined with Governance of a large number of applications based on Microsoft Forefront Manager”


In an interesting panel discussion by Craig Burton, Mike Neuenschwander, Gerry Gebel and Martin Kuppinger on the future of IAM, the panel quickly turned to a discussion on “dead standards”, a topic which became a running gag during the entire conference. Motivated by a blog article of Forrester’s Andras Cser this year’s “dead standard” candidate number one was XACML (as basically all XML based standards). Craig Burton stated that he does not expect to see a product deployment with XACML in its current form. Gerry Gebel retorted that AuthZ is very important and that XACML is working on JSON/REST profiles to move more towards APIs.

The topic on standards and its practical usage was continued in another panel session on the second day by Craig Burton, David Brossard of Axiomatics speaking for XACML, Daren Rolls of SailPoint for SCIM, Paul Madsen, Ping, for SAML and Michael B. Jones, Microsoft for OAuth. Jones pointed out the OAuth 2.0 was designed with simplicity in mind as the 1.0 spec turned out to be too complicated. OAuth 2.0 is designed to use existing security layers like TLS and by being REST-based the developer does not even need a library. Paul Madsen replied that the “S” in SAML does not stand for “simple” like in SCIM but for “security”. SAML sets the bar for the industry. And everything comes with a price – in that case with 800 pages of specification. For security SAML was historically designed to reflect the legal contract between parties. A question on the “liveliness” of AuthZ profiles within SAML was answered, that a few years ago it was recognized that SAML is more suited for authentication and attributes. XACML is the better fit for AuthZ – and that SAML and XACML work good together. David Brossard declined that XACML is losing attraction. He, as a XACML product vendor, is seeing more adoption and the focus is now more on developers and profiles to make XACML simpler. Daren Rolls replied on the question about SCIM versioning not being stable after transferring SCIM to IEFT that SCIM 1.1 can be implemented. A good conclusion was given by Paul Madsen on the question what he would recommend to customers if they were asking for a specific standard: What fits best depends on the use case. SAML is not optimized for mobile. Ping would not push it for mobile. OpenID Connect may be a problem if the partners do not support it. SAML is definitively more widespread (a quick poll in the audience initiated by Pamela Dingle confirmed that). The best measure of the mortality of a standard is the number of deployments. Someone of the audience added, that a measure could also be the open source implementations available. SAML has several, XACML mainly for the 2.0 version, SCIM with UnboundId – but as OAuth a simple REST based protocol does not really need a library implementation.

People like Craig Burton, Fulup Ar Foll and others are always good for some catchy quotations.  I noted some of them:

We need the hacker to stay in business.

If I BYOD, I have the right to install malware.

There are public APIs and DARK APIs.

OAuth and REST are the fusion drive for the API economy.

Banks and operators are too fat, lazy and rich to take the risk to compete with the Facebooks and Googles.

Some links worth mentioning:

Datownia, with an interesting developer use case demonstrating how APIs can be used to enable frictionless integration with Windows Azure AD and the Windows Azure Graph Store by using the Datownia system developed by Release Mobile Ltd.

Dutch authentication and authorization for legal entities: eRecognition

bwIDM: Federation on non web based services like HPC between Universities of the state of Baden-Württemberg. The solution is called FACIUS.

www.trustindigitallife.eu: Consortium focusing on TRUST in digital Life

FIDIS: Future of Identity in the Information Society

AZA – Native Authorization Agent: enabling mobile SSO cross native apps.

Topics I missed :
Not much about Cloud Crypto. New companies in this area were not represented at the conference.

My personal winner at EIC 2013:
OAuth 2.0: fast specification, quick adoption, feels like it has been around for much longer time.

Last but not least: The European Identity & Cloud conference 2014 will be held from 13.-16. May. Guess where? In the identity capital Unterschleissheim. See you there.

Tags: , ,