Wednesday, May 30, 2007

Identity(ie) Fair(e)

I just saw Dave Kearn's post about pulling together an Identity Fair of sorts and I think it's a great idea.

The biggest issue (as it usually is) is to find the funding. Keeping it vendor agnostic without tapping into marketing budgets of vendors would be difficult. Could we pool all of our Starwood points to get some space someplace like Phoenix in August, or Portland Maine in January?

A steering committee should be assembled to investigate. Maybe a university to secure space given that this could be the academic Mindmeld of Identity, or the Identity Stew.

It bears further investigation... And a solid sponsorship model. I'd throw some points at it...

Shouts out to my IdM crew

It's been a while since I have blogged about my discussions with other folks and I wanted to give a shout out to and a note of thanks to a few folks who I have dined with and talked to from the far reaches of the identity sphere:

Nishant Kaushik at Oracle. Lunch at Olives was fantastic, the food rivaled the discussion.

Mark McClain at Sailpoint - I think you have something special going on there.

Quin Sandler - Interesting addition to the vectors of Identity, our conversation got me thinking.

Jackson Shaw - I hope we get to meet and share a fantastic meal somewhere.

Marco at HP - Keep on researching, it helps us all

Mark Dixon - always a pleasure to exchange thoughts with you

and Ian Glazer at Approva

This space has good people in it and I'm happy being a miniscule part of it...

But I'm Entitled to my Entitlements

I was reading an article in InfoWorld about Securent and their ability to manage entitlements and my first reaction was – isn’t that what identity management is designed to do – govern and audit access to applications?

It also got me thinking about the power of Trusted Network Technologies solution and some research being done by HP in the UK around network layer identity and access control and the value of machine identity in the AMIMA space (Access Management Identity Management Applications - It's my acronym).

I will say up front that I have never worked with Securent’s product so I am not going to down that road but stay at 10,000 feet for now. The way the article reads, Securent has laid claim to adding to the SSO functionality and bridging into access management and entitling (enabling) access to applications. It makes me wonder – is Securent saying that other IDM solutions are great for managing the workflow of on boarding but little else, and that SSO is where the rubber meets the road?

Back in the old days, IDM was designed to manage this process and access issue and its popularity swelled, and I saw more projects get wrapped around the axle with entitlements. In my experience, entitlements are phase two of an IdM initiative, the first step is getting the process right. If you nail your process, the technology matters much less.

When I joined TNT a few years ago (I have since moved on) I saw something completely unique, and their patents guarantee that they will be unique for the foreseeable future. In essence it adds identity to the network layer which usurps all of the application layer issues that people seem to run into. It is access control, identity management of people and adds another variable (factor) of access control by binding a unique machine ID created from a unique hash of serial numbers (not MAC addresses) so you are your machine.

The management of a powerful system like this means that you have tamed the identity beast in many respects by having users and machines as the variables that govern access down to the port levels, and controls any and all connections to ANY application or server up the stack. You log in once from your machine and your access to and visibility of the applications and infrastructure is handled in the network – where most hacking starts and where risk is often overlooked.

The HP research is looking at the notion of machine identity, however to do it right and not get stuck in the wrong layer it has to occur in the network, since connections to any server or application start in the network layer.

The dependency in this model? A clean, or clean enough directory to use as the jumping off point. Until the authoritative source(s) are clean and managed well the AMIMA dog won’t hunt.

Tuesday, May 22, 2007

TJX - Where it all started...

I was catching up on my reading and came across an article at SC Magaizine by Dan Kaplan about where the TJX breach all started... Wain Kellum CEO at my former employer Trusted Network Technologies was quoted. If you're looking to prevent this take a look at Wi-fi Owl, it is designed to catch this type of thing before you make the papers.

You can get what sounds like the antenna they used at

Dan Kaplan May 4 2007 17:00

The suspects who lifted the personal data of 45.7 million customers from TJX's processing systems hatched their elaborate plan some two years ago at a Marshalls outlet in Minnesota, where they used simple technology to tap into the store's wireless connection, The Wall Street Journal reported today.

According to the story, citing investigators, the intruders, from the parking lot, used a "telescope-shaped antenna" and a laptop to decode data that was moving among the Marshalls store’s scanning devices, cash registers and PCs, which were using wireless LAN connectivity.

What the intruders either learned or physically planted that day helped them later hack into TJX’s main database, where they quietly pilfered data for two years and ended up executing the largest data breach in the nation’s history.

Investigators told the newspaper that the St. Paul, Minn. Marshalls location was running a wireless network protected by the weak Wired Equivalent Privacy (WEP) industry standards, which have since been superseded by the more robust Wi-Fi Protected Access (WPA) guidelines.

TJX operates more than 2,000 discount retailers, including hundreds of Marshalls.
Gartner Vice President and Senior Fellow John Pescatore told today that the replacement standards - required under the Payment Card Industry mandates - are much more secure than WEP, which was "riddled with holes," he said.

"The encryption to keep someone from breaking in was done very poorly in this first generation," he said. "It's no better than (no security at all). This is something I would have thought an audit would've caught."

According to the newspaper, the hackers used an antenna, a common tool used to retrieve a wireless signal from a distance, Pescatore said.

He said he has heard of people creating antennae out of Pringles potato chip cans - and several websites offer instructions on how to do so. Then, he said, "all it takes is a laptop with Windows XP and it tells you what access points it can hear. It doesn't take any special equipment."
The hackers may have planted some malware on the network that day to help them later access the central database, or they may have stolen certain data that allowed them to later intrude, Pescatore said.

"The basic issue is if you connect to an access point that puts you on the network, it's just as good as if you broke into their data center and sat down on a PC," Pescatore said. "You're on their network."

The incident highlights the need for business executives to understand the value of information assets, Wain Kellum, president and CEO of Atlanta-based Trusted Network Technologies, told today.

He said that in many cases "fairly low-level network engineers" create wireless policies without any understanding of risk or financial impact to the organization if there is a breach.
"Management people are now starting to get aware that they have to participate in the dialogue," Kellum said.

A TJX spokeswoman could not be reached for comment today.

Since the breach, the Federal Trade Commission has launched an investigation, and three New England banking associations filed a lawsuit seeking to recoup costs associated with fraudulent purchases.

However, TJX has reported no negative effect on sales, which rose during the first quarter of this year.

Tuesday, May 15, 2007

Compliance as a driver for LBO's and going private

I was at another of my favorite haunts in Manhattan last night - St. Andrews Restaurant, eating my haggis (yes, really), and wound up chatting with a guy and his wife for a couple of hours. He works for HSBC and they just moved here from London. With the news about Daimler selling to Cerebrus, I asked him about the driving factors for companies going private. One of the first things he said was - compliance costs.

In the Identity world I couldn't help but wonder if companies are questioning is it really worth what we spend since there are no definitive answers about what is right and what is not. Based on my observations from the trenches, so long as companies are working on compliance, aka have a budget and consultants helping them, then they are ok, at least with Sarbanes-Oxley. I ask - to what end?

It is like owning a boat - it's a big hole in the water you throw lots of money into. Complaince is the new QE 2 in this metaphor.

If anyone out there has any additional insight as to whether or not our discussion has any merit, please let me know. It seems some companies would rather spend the compliance dollars into running a tighter ship their way, not by loosely defined laws cooked up by legislators.

The end of an era...

One of my favorite restaurants in North America has closed - Ollies Noodle Shop - in Manhattan.

I went there for lunch yesterday, braving the tourists in Times Square, only to find a demolition company's truck parked out front and dusty windows telling me they had moved. I felt like Ralph Wiggum after Lisa Simpson told him she didn't like him and Bart caught the exact moment his heart broke on film...

I trudged another 6 or 7 blocks to their new location and it was not Ollies, in any way shape or form. They tried to go upscale, and cut 3/4 of their menu items - of course the only two dishes I have ever eaten there - and it wasn't that good at all.

I rolled back to my hotel several blocks north lamenting the end of an era. Bummer.

If anyone has any favorite picks for great chinese in Midtown, send them over...

Monday, May 14, 2007

Too good to be true?

A buddy of mine told me about this site and so I had to check it out. It is a site devoted to a free 60 day Proof of Concept for Single Sign On (SSO), there are other options for IAM Pilots, licenses, etc. Turns out Grady used to work for me in a previous life so I will tell you that this offer is NOT too good to be true. Grady is a stand up guy.

Long story short here folks - Worth looking into if you are trying to get a project funded. I have yet to see something like this that is a low risk way of helping to decide if you should invest a bunch of time or money into a project.

I'm in Manhattan this week, so if there is anyone in the blogosphere who wants to talk shop, reach out and let's get caffeinated...

Friday, May 11, 2007

It's all about the (business) process folks...

I cannot and will not ever say this enough. If you want a copy of my identity playbook so at least you understand this, let me know.

I spoke to a non-US Government Agency yesterday about their Identity Management initiative. Turns out they are hung up on an architecture. Why? Because there is no identifiable (or identified) business process for them to build for. The business users are saying - Just buy a tool and it'll take care of it that's what their workflows are for'. Those of us who do this for a living are probably smirking or laughing out loud at the comment. Typical, but one of the leading causes of unsuccesful projects.

- Roles don't matter in the absense of a procees
- Entitlements don't matter in the absense of process
- Ultimate success depends explicitly on process

When I say process - this is what I mean:

When a process is defined from the onboarding of an employee, certain simple truths and processes are born. Identities are created, HR data is populated, and provisioning happens. The simple truth is that there are components of that Identity (email address and phone number for example) that everyone has. Period. So at the Macro level the process is, when a user is created they get an email address and a phone number. It is the blood type and sex at birth (as a metaphor).

What this baby will grow into is a process, whether we're talking human or IdM, which is why process is so important. Looking at the simple process and simple truths of WHERE YOU WANT TO BE/GET TO is paramount.

I will meet with these folks on my next trip in country and see if I can help, even if it's to explain to the business folks that them saying 'Just buy the tool' is the wrong way to figure out a process.

In fact I may have to go to Home Depot and get a tool, any tool, and walk it and say 'that'll fix your IdM problem' to drive the point home...

Tuesday, May 08, 2007

Social Engineering for Seniors' ID Theft

I laughed out loud to the point of a coughing fit when I saw this story on Fox News. Definitely low tech identity theft. And here I would have thought going through her purse was pretty easy. Seriously though, did they get the one smoking the crack correct?

NEW PORT RICHEY, Fla. — A woman forced an 83-year-old housemate to smoke crack cocaine so she could steal personal information to get a credit card and run up more than $3,000 in charges, authorities said.
Pasco County sheriff's investigators accused Theresa M. Stanley-Morgan, 41, of getting the older woman to smoke the drug at least twice to make it easier to exploit her financially.

Stanley-Morgan was arrested April 28. She admitted to investigators that she used Shirley Hathaway's name, birth date and Social Security number to open the account, a sheriff's report said.

Hathaway and a witness told investigators that Stanley-Morgan forced Hathaway to smoke a lit crack pipe, the report said.

Stanley-Morgan was in jail Monday on $23,000 bail, charged with criminal use of personal identification, use of another person's ID without permission and retail theft, according to jail records. Records did not indicate if she had a lawyer.

The sheriff's office said more charges were pending and asked the court not to reduce her bail.

Friday, May 04, 2007

Getting the cart back behind the horse

I had several fantastic discussions with some old and new friends in the identity space yesterday, to discuss some exciting new approaches out there, and also to see how things were going in the trenches. The common theme was that people are getting the cart back behind the horse.

One of my first calls was with a fellow Red Sox fan and IdM project leader at a large beverage company who was a year into an implementation. The feedback we exchanged was that things were going very well now, especially since the client understood twhat they bought, why they bought it and why things needed to happen in a certain way and in certain phases. There were also very defined criteria for each phase that insured the next phase would not be started without a hood check on the phase that was wrapping up and sign off that the criteria had been met, was as correct at the end of the phase as when it was started and did anything need to be accounted for or changed in the criteria going forward.

This spoke to my long held belief that where you want to end up is FAR more important than where you start. Adding checks and balances keeps things tranparent and diminshes politics or gee whiz ideas from polluting the project in each phase. The cart is behind the horse, and focusing on the process has yielded measurable success. Glad to hear it.

One of my other conversations later in the day was with Sailpoint's CEO Mark McClain. While we had never met until yesterday, we knew a lot of the same folks in the business and it was another great discussion and fun to remember when provisioning was something you did to prepare a boat for a weekend trip.

The take away I had from the discussion was that Sailpoint was addressing a very key issue in the IdM world in my sole opinion, which was tying the metrics of a project to business process, and providing metrics at the outset and during the entire business operation of mitigating risk and determining where a company needs to focus and why. In essence I see their solution as the check and balance for the business folks in an organization to understand - through ongoing measurement of technology and process - what was yielding the desired successes and why, and ultimately how big their bonus might be by turning data into information that will drive the right process for project execution and ultimately reduced risk for an organization.

I also spoke to the founder of a company still in stealth mode that is putting the polish on their organization. I chair their Strategic Advisory Board, and some exciting - and common sense - approaches are afoot with these folks to extract all of the value of the Right Process. I will be blogging more about this when they launch.

Have a great weekend, and it is amazing to see the Boston Red Sox leading the AL East, crushing the Yankees out of the gate, and Beckett pitcing like we know he can. The Curse does indeed feel reversed at this point in the season...