Thursday, November 30, 2006

Response to a Digital ID World Blog

http://blogs.zdnet.com/digitalID/wp-trackback.php?p=75

Take a look at the blog, the 1 comment that is up there (mine is awaiting approval by Eric), and here is the comment and my response:

"... So-called "Identity 2.0" - and I must point out that I find it despicable that YOU GUYS are pushing such a self-deprecating buzzword - still has to wake up, and realize that identity at the network layer is only the beginning - if that. It has little importance - other than what you can achieve with a network firewall, basically just expanding the policy from "yes/no" to "HostA:yes/no;HostB:yes/no/sometimes" etc.

It still provides negligible value as compared to what can be achieved when Identity is fully adopted and integrated at the application level (and I don't mean the OSI stack !! )They are finally "treating the network layer in the same way that one would treat the application layer"? Maybe in five years, vendors will start treating the application layer the same way (just more efficient) that they treat the network (and host/OS) layer.

Posted by: douglen@..."

RESPONSE:

I beg to differ strongly on this one

Just so we're clear about why I can say what I'm about to say... I have run over a dozen initiatives that have provisioned/deprovisioned over 1M users at the application layer. I have worked with IBM, Novell, and Sun's products, and left a VP level job to join TNT for exactly the reason/point you seem to miss. I have published two articles in the ISSA Journal about this as well. My blog is at http://identitystuff.blogspot.com should you care to follow along.

Your point:So-called "Identity 2.0" - and I must point out that I find it despicable that YOU GUYS are pushing such a self-deprecating buzzword - still has to wake up, and realize that identity at the network layer is only the beginning - if that. It has little importance - other than what you can achieve with a network firewall, basically just expanding the policy from "yes/no" to "HostA:yes/no;HostB:yes/no/sometimes" etc. It still provides negligible value as compared to what can be achieved when Identity is fully adopted and integrated at the application level (and I don't mean the OSI stack !! )

My point:Identity at the network layer means that identity is carried from perimeter to port, so you've encompassed identity in the network, infratsructure, AND application layer WITH the associated entitlements in a single piece of technology. Add to the visibility of who from what machine went to (or tried to go to) an application that ultimately drives who can see and access the right apps is invaluable.

The other benefit to identity in the nework is that once I have deprovisioned the user from the directory, guess what? They can't get on my network at all, they can't login to HR systems from the laptop they still have, and every account they ever set up known or unknown is rendered useless. How's that for workflow?

So I will point out that identity in the network is exactly where things are headed, and need to be. TNT (yes I work for them http://www.trustednetworktech.com) gives DNA to identity which is as close to true identity as we can get right now...

identitystuff@gmail.com

Tuesday, November 28, 2006

ISSA Journal Article

A second article I had submitted earlier this year is in the November issue of the ISSA Journal. You can get a copy of the article HERE. In it I discuss the importance of identity as it relates to machine identity. Since there is no AD or LDAP for machines, and they can inflict damage with or without a user using bots and other malware, it's something to look at.

identitystuff@gmail.com

Friday, November 17, 2006

Just launched PCISTUFF

In an effort to keep things focused, I have started another blog, PCISTUFF, where I'll be going therough the PCI requirements, PCI Solutions, and ideally creating a space where PCI expertise will be shared.

Have a great Weekend and a fabulous Thanksgiving.

Wednesday, November 15, 2006

Identity 2.x = Good vs. Evil?

I was at an ISSA meeting yesterday in Minneapolis and the presentations I saw were all about identity. Identity of threats, identity of solutions, and identity. It also got me thinking about whether or not there are more players in the Identity Management space that we realize.

Bots, worms, viruses all have an identity. They (for the most part) are designed to negatively impact the proper operation of technology. Whether it's driven by ego, monetary gain, or revenge, they are out there and growing. To me the identity of these programs are the equivalent of identifying whether or not we're a girl or a boy, since you are typically one or the other (there are exceptions to both). The identity is typically that they are bad, not good.

The solutions that are designed to identify, detect, deter, and destroy are in most cases considered the 'good' since the good takes care of the bad a la Star Wars, Mission Impossible, or James Bond. This is their identity.

So does that mean that the companies deploying anti-virus, firewalls, IDS, IPS, etc. are an extension of identity - it's soul (Good or Evil) and that by extension they are in essence in the Identity Management space as well? The next layer of Identity Management being the physical establishment of the 3-D world's identity of people and machines. I'll have to noodle this around some more...

identitystuff@gmail.com

Monday, November 06, 2006

PCI Compliance and Identity

I don't know if it's just that time of the year when retailers large an small are gearing up for Black Friday, or if it is something else but, PCI Compliance is on the minds of many and I felt compelled to blog about the discussions I've had with several organizations from School Districts to large privately held Level 1 companies lately, and why identity is at the center of it all.

Oh, and I'll also fill you in on a way for PCI Level 3 organizations to implement a solution for $100,000 which is the proposed amount of a fine if you are found non-compliant.

Identity is at the center of PCI becuase it requires organizations to restrict access of identified and authorized employees to getting at the identity information of customers.

The conversations I have had the past few weeks have been interesting. It turns out that one level 3 organization I spoke to has been trying for 2 years to come up with something that will get them compliant. Not because they wanted to, but because their bank wanted them to prove compliance. Interesting that banks are moving risk back to the customers, at least the little ones.

The other conversation I had was with a diversified company in the midwest that stores and uses a ton of information related to PCI, and their customers were the ones asking for proof that they were PCI complaint, or at least had protections in place at the same level or better than what the customer had. It was interesting because it seemed to me that their customer was trying to assess and mitigate risk and enforce policy and standards inside and outside their 4 walls, which is a HUGE issue for companies today, PCI compliance or not.

Anyway, take a look HERE and you will be able to download the PCI specification and bullet by bullet how TNT can help you staisfy 60% of the requirements in less than a week.

identitystuff @ gmail.com