Thursday, August 31, 2006

Economy of Identity Theft

I was having a conversation today with a professional colleague and one of my accounts and an interesting discussion occurred.

With the rash of identity theft approaching, if not exceeding, the 100 million point, that means that one in 3 of us had had our identity related information compromised. If we were the thief, would we use the identity information right away and make a quick buck at $2 a pop, or wait.

If we were RBP’s (Really Bad People) like terrorists, and we had the laptop with the 26 million veteran’s data on it, $52 million isn’t a bad score for breaking and entering. Allegedly no one accessed the data, but if I were a bad guy and could make 52 million I would spend whatever I had to for some good bit by bit forensic software to completely copy the drive and leave no trace. The Feds think they have an unaccessed drive and the heat is off.

The other interesting tangent to the discussion was if you break into a college’s system, do you use or sell the identities now, or do you wait 10-15 years when they go from broke college students to having a net worth? Is the identity worth more? Their SSN won’t change, their age, you have an old address, and maybe some other information, only now instead of being approved for a credit card account for $300, you wait and that identity will get you $30,000. You go from scoring a car payment to scoring a car.

Maybe locking down credit access isn’t such a bad thing…

Wednesday, August 30, 2006

Another Travesty That Could Have Been Avoided

Well folks, the latest company to wind up on the data breach list is AT&T. The AT&T hack exposed 19,000 customers' identities. Reposted from ZDNet Site:

The break-in occurred over the weekend and was discovered within hours, after which the online store was shut down, AT&T said. The telecommunications company quickly notified credit card companies and is in the process of contacting the affected customers via e-mail, phone and letter, it said.

I dont know if hours means 2 or 40 but from my perspective it is irrelavant. The bottom line from my perspective is that this activity is ENTIRELY preventable and I can prevent it from happening. How you ask?

Because if you do not have an identity that is known to me and valid (as a company) AND you don't have a machine that I know and trust - you don't get access to my networks, servers, or applications. Period.

No identity (user or machine), no entry.

Game over.

Pick on someone else.

If you want to learn more - email me - identitystuff @ and I'll take you through the how.

Wednesday, August 23, 2006

IBM buys ISS

IBM to acquire Internet Security Systems
Cash deal values Internet Security at $1.3 billion, or $28 a share


Now that's some news! I wonder what it feels like to write a $1.3B check...

How Many Roles Would You Like With That?

As I was loading the dishwasher last night I was thinking about roles and role definitions and the good and the bad and asked myself the question –

Is role definition really about roles, access levels, or something else?

When I think about defining roles I think of what it takes to manage them and then what is the REAL point of a role. Is it to help group users in another way, such as access levels, or is it a way to assign trust to user type (assuming higher up the food chain you go you gain more trust), or is it simply a component of identity?

The other questions that followed were - why would anyone want to ever go down the road of defining roles in the first place, especially since users are the most transient component of a company. People come and go all the time, especially contractors. So why would anyone try to define a role unless it was to assign a level of trust and to set up rules for access to networks, infrastructure, or applications?

If roles are about access, then why wouldn’t you define roles for the applications and then maximize your directory group structure so you assign roles to a FAR less transient population (you don’t bring dozens of applications up every week, right?), and then define access by user or group, where the groups are where trust is assessed and assigned.

What’s missing here? I am asking the identity community for feedback here. If you blog a response, please email the URL back to me at identitystuff @, otherwise leave one here…

Friday, August 18, 2006

The PAC-LAC Connection

The PAC-LAC Connection

Nishant had blogged about the convergence of Physical and Logical access control a while back, and with the number of things coming out of the US Government, I can assure you that this will be a major concern going forward. The activist stunt (my perception) pulled by the fruitcake in VT, Catherine C. Mayo, will certainly help justify the need for identity and access control to be very tightly coupled. Anywhooooo….

So I have been working a lot in two areas recently – HSPD-12 and CIP 001-009 (NERC Critical Infrastructure Protection). Both of the major initiatives signal, I believe, the inevitability of Physical Access Control (PAC) and Logical Access Control (LAC) combining to ultimately be able to enforce access policy to physical structures and data.

The interesting part of this will be protecting privacy while removing anonymity from access.

I would hope that the relatively new identity based access control solutions will be considered for several reasons – a person’s identity can be bound to a physical avatar (think smart card/badge) that will enable the passing of credentials by a user to a machine/system that could be argued will help protect privacy. It’s a physical object to physical object transaction (card to reader). That avatar can then be used for Logical (network) Access Control since a card reader will be bound to a person’s workstation and now you have a physical to virtual transaction. Then it’s all virtual from there.

The next question would be - how can we emulate a physical avatar in a virtual world?

One answer is - user and machine identity. Bind the avatar and the user to the device used to operate in the virtual world.

I can’t use my lawnmower to traverse networks, nor can I use my computer to mow my lawn (boy would that be great though). The point here is I want to be able to associate the components of my identity (lawnmower riding skills) with the tools (lawnmower) required by the environment I am in (uncut lawn). Maybe it’s not the best example, but you’ll know where to find me this weekend.

So what I have been working on is telling and showing people that the PAC-LAC bridge exists today. It’s not obvious, but boy is it powerful…

Identitystuff @

Monday, August 14, 2006

Identity - Device & User

I spent some time this weekend wondering about identity management and where it was going and here is what I kept coming back to:

Is identity then the compilation of identification and trust?

If so, then won't we by nature get into the business of identifying devices, and other tools and then seek to establish if they are trustworthy or not?

The way I was thinking about this is that a user's credntials (ID, Role, etc.) are essentially useless without a device that will enable the access to an authority that assigns a level of trust. Once identified and trust level established - you're in.

I then wondered if NAC was the logical extension of this - with health of device the gaiting factor of trustworthyness - and then challenges, logins, etc. being the ongoing validation of trust and assessment of risk. Does this mean that health is the only way? I hope not. How about knowing if the device is owned by you or by an outsider? Does this effect trustworthness of the device? Of the user?

How about knowing if the user is bad? Does this mean that the device is bad too? Tokens are nice in that it's another layer of trust for the user, but does nothing for the machine/device part of the identity.

Comments are welcome, and yes you will go through a 'challenge' to post a comment. I got sick of the breast enlargement cream adds and invites to check out various lotions, potions, powders, and pills.

identitystuff @

Friday, August 11, 2006

It's been a while...

I have been working on an article for the ISSA and since I can't blog about what's in the article, tyou'll have to wait until the September issue.

As part of my research however I came across the following article. I guess they don't have the same affinity for a woodstove that I do to burn up the drives on a crisp fall evening:

The BT-funded research, carried out by the University of Glamorgan in Wales, analysed 317 hard drives purchased second-hand in the UK, Australia, Germany and the US.

About 35- to 40-percent of these turned out to come from businesses, 23 percent of which contained enough information to identify the specific company that had owned them, using only off-the-shelf analysis tools. A shocking five percent held sensitive business information.

A further 25 percent came from individuals, while the remainder could not be identified. Researchers found many hard drives choc-full of porn, and even had to refer two hard drives to the police for suspected paedophile crimes.

The study - a follow-up to an almost identical one conducted on behalf of BT last year - found that the treatment of hard disks had barely improved since then, said Dr Andy Jones, head of Security Technology Research at BT.

“We’ve seen a huge increase in corporate governance. This is a measurable metric of how well companies are doing in implementing all this security,” said Jones.

The main problem was that “once an organisation disposes of assets, it gives up ownership or responsibility,” he said. “How much are you going to invest cleaning something that is only worth £5-£10?”

The disks were bought from a random selection of auction sources. Of the countries surveyed, the UK did relatively well by the admittedly low standards of data security uncovered.

A quarter of the 200 hundred drives that came from the country had been competently wiped.

Many others simply had files deleted in Windows or had reversible processes such as disk formatting applied to them.

Overall, four out of ten drives bought second-hand didn’t even work, suggesting that petty fraud afflicts the second-hand drive market as much as lax data security.

The full report is not available online, but will be published this October in the quarterly Journal of Digital Forensics, Security and Law, which has its own website.

Another issue identified by Jones was the quality of disk wiping tools available to the general public and company IT staff alike – many of them did not work well, researchers found.

Tuesday, August 01, 2006

The Identity Trifecta...

How badly is your identity project going right now?

People are starting to come back from vacation and those Identity Management project decisions that got pushed off until 'after vacation', like which vendor, consultant, approach, project team, etc. are staring people square in the eyes. They are also starting to realize that Labor Day is approaching, and then they have 3 months TOPS to get a project done before everyone is more concerned about what to wear to the company holiday party than how far along their projects are.

I was reading some blogs this morning about IdM projects and approaches and I found myself grinning. Grinning and squirming actually. Squirming because I was saying the same thing up until a year and a half ago – Identity Management applications and the projects that are tied to them are larger than you think, will take more time than you think and if you hire the right consultants they will fix it. Full disclosure here folks – I was one of those consultants.

Why I was grinning is that these folks are still holding onto old truths. There was a time when projects took thousands of hours of consultants time, because the space as a whole was in its infancy and nobody knew anything. Myself included. Guess what? There are best practices now. The products have matured (somewhat). Right and wrong approaches are taken. People know what not to do as part of a project. Why is the mantra still these are big, expensive, complex, projects.

Is it the software (partly - you need to configure an adapter even if you don't build it)? Is it experience level of implementors (maybe, but less of an excuse today than 18 months ago)? Is it picking the wrong use case to build for (maybe)? Or is it that there is no real knowledge base (except vendors and consultants) of best practices, do’s and don’t’s for those of us looking at how to ‘do’ an identity management project?

Here is my two cents. My two cents based on my experience of licensing over 500,000 users of Identity Management software, being involved in varying degrees with 8 IdM application deployment projects, and watching millions of dollars spent at other firms to solve one specific problem that was drowned out by competing interests and misguided approaches.

Figure out what the end result is, specifically.

This doesn’t mean ‘SOX compliance’ or ‘HIPAA Compliance’ it means things like ‘Showing a 50% reduction in faults on our year over year audits for our IT controls’ or ‘Reducing our Audit costs by 30% over two years’. Make sure that if you do an ROI that the clock starts from when you FINISH your IdM deployment, not when you start it.

Make sure you ask the vendors how they control access to applications outside of the provisioning process. Can a DB administrator write directly to an HR system, or can a Windows admin add an AD account by talking to the provisioned application directly? Know all the risk and decide if it’s tolerable.

Also the industry has matured. Applications are not the only game in town. There are other vendors that have taken the best of provisioning, solid components of identity, and flattened business process out and deploy in the network. Why is this important?

It’s important because when you manage identity and ultimately control access based on identity at the network layer, you are controlling access to 3 layers not just one. That’s right – it’s an Identity Trifecta.

When you decide and control who has access in the network layer, you protect your network, your infrastructure (servers), AND your applications. With an IdM application, you are still allowing access to the network and the servers, but are ‘controlling’ access to the applications. Which if you can write directly to a database outside of the IdM/provisioning app, what good is the IdM app?

Also if you deploy in the network layer there is typically a handful of network gurus to deal with that all speak the same language. Not so with Application based identity. You will end up having to talk to every application owner about the configuration of their app (which you are threatening their loss of control over by the way), and then building (or at the very least configuring) an adapter as part of the project. That may be attractive for some organizations, for others, not so much.

Anyway, my point here is to look at why you need Identity management, where it should be implemented (network vs. app), and how complicated do you want to make it for specific reasons.

I’ll take the payout on a Trifecta any day…

identitystuff @