Archive for the ‘Cloud’ Category

SCIM from Excel

In my twitter timeline i’m watching the hash tag #cisnapa bringing some news and facts from the Cloud Identity Summit 2013 from Napa. It seems like Mark Diodati was demonstrating a SCIM client for Excel.

Bildschirmfoto 2013 07 10 um 16 41 09

So if you’re interested in the code, here you go:

Might this be the new rise of Excel as an identity management suite? 🙂

Categories: Cloud, IAM, IDM, SCIM

Passwords must die – we’re on the way

Since several months and identity related conferences there is one hot topic still ongoing and represented as an popular hashtag within the IAM crowd (some call them / us identirati): #PasswordsMustDie

I already did spent some time in march blogging some lines on #PasswordsMustDie in the article “Passwords must die – but how”. And over the past weeks i was spending some time to look around on various plates to see, how it’s going on the way to kill passwords. There’s a bunch of news in that space that i’d like to wrap up pretty quick.

The FIDO alliance

The FIDO alliance (FIDO stands for Fast IDentity Online) was formed as an non-profit organization in summer 2012 to change the nature of user authentication. Some very known names being members in the FIDO alliance are:

  • Google
  • Lenovo
  • PayPal
  • PingIdentity
The alliance is still growing, making it’s way to bring a FIDO plugin supporting various FIDO authenticators, such as hardware based tokens, finger prints, voice identification as well as combinations of those differentiating those into two kinds of  tokens:
  1. Identification tokens as unique identifiers being associated with an online identity
  2. Authentication tokens for identity proofing

Mozilla Persona

In April 2013, the Mozilla Identity team announced the second beta of Persona as an simple way to login to various services and web sites using any modern internet browser. Their simple goal: Eliminate passwords on the web. Although the base of services and web sites is still small, i do expect them to grow their services base over the months.


Both, the FIDO alliance as well as Mozilla Persona do show that there is something going on to kill passwords. These initiatives will see a major boost in usage as soon as some bigger services start supporting their technology and approach. As long as services like Twitter and LinkedIn just enable their users to use two factor authentication as as result due to various security incidents, there is still some password usage although it’s just a single part of authentication. Let’s see what’s the first popular service starting to use such technologies as offered by FIDO or Mozilla, we might see some real security improvements.

Categories: Cloud, IAG, IAM, Identity, Security, Strategy

Passwords must die – but how?

It’s been a while since i had a chance to pick some time for my blog. I still have several topics to deal with in my pipeline, but as today is going to be a lazy sunday staying in my Hotel in Louisville, KY, i decided to take a shot on an burning hot topic thats been on top for a while: #PasswordsMustDie

As you might have seen in the news, on twitter or in various blogs, Evernote got hacked these days and it’s reported that usernames and passwords (no matter if they were crypted or not) where taken. I wonder how much of those passwords are used with other services as well, in the worst case they are used with the same email address. I think at least 60% of the taken password / email combinations are being used for other services as well as this is the most common mistake we all do: We reuse passwords. We shouldn’t reuse them, but as a matter of fact, we do. By doing so, we’re exposing ourselves to an enormous risk. But we do accept it.

What could be ways out of this misery?

  • Biometric Authentication
  • Token based authentication
  • Multi-Factor-Authentication

Let’s take a look at all of those.

Biometric Authentication

Some Laptops today do have a fingerprint reader that can be utilized to authenticate a user. My HP laptop issued from my employer does have one of those and i use it at least for the windows based authentication. The same laptop also offers a face recognition via the built-in webcam. I’ve never tried that feature since the webcam is not working properly. On the other hand, i do remember a presentation on an Laptop (i won’t name the vendor) that would allow to bypass the face recognition with a good photo print. Just looking at my brand new MacBook i’m currently using to type this article, there is no fingerprint reader, but it does have a webcam. Looking at other devices or computers in my family, there are also devices that do not have any of those. So on these devices there is no way to do biometric authentication without any additional hardware. So as long as not all devices by default do have a fingerprint reader, there is no way to roll-out biometric authentication to all the mainstream services.

Token based authentication

Token based authentication does require a service to issue a token to the user. But how’s the user identified by the service? The user has to give something to proof the identity. So this requires potentially a username and a password or other attributes to be communicated between user and service. Sure, there are SSO applications doing that in an enterprise infrastructure. But how about home users? What do they use to initiate a token based authentication? They could use for example other account from other services that do integrate with the service they want to use, like Google or Facebook. And how are the Google account or the Facebook account secured? Typically by a username and a password. Only a smaller number of people i know is using two factor authentication using their phone to authenticate with Google.

Multi-Factor Authentication

Using multi-factor authentication does require not only a password or a pin, it also requires at least one more factor to be authenticated with. This could be certificate, a security token being calculated by a device or an application, it could be also a biometric component such as fingerprints or an face recognition scan. As discussed earlier, fingerprints or face recognition are pretty much out of the game as not all the devices are support those features. Most of you do know the RSA tokens issued by our security departments or customers to use them for logging into the network or remote into the customers network. As these are bound to an network specific infrastructure component, this would result into a bunch of of tokens to have them with me all the time. And certificates? Not only one major certificate authority has been hacked in the past times.

So what’s the conclusion out of this?

As much as i agree that passwords must die, i don’t see any chance to make that happen pretty soon. It would require at least an standard for a mixture out of token based authentication and multi-factor authentication. But no hardware tokens please. How about a multi-plattform token application for smartphones? Oh, right,… what about non-smartphoners? You see, it’s long way to go and we just started it using first services offering alternative ways to authenticate like SSO with Google.

What could be done to make passwords more secure in the meantime?

  1. Use strong passwords (combination of lower case and uppercase letters, numbers and special characters)
  2. Don’t reuse passwords (i know, it’s not pretty convenient)
  3. services do need to enforce password policies and password change intervals
  4. if you’re using SSO with Google or Facebook, try to ensure that you’re passwords are ultra-strong and enforce yourself to change them from time to time

All of this is nothing new, but as the Evernote-case does remind us to reset our account data and authentication information, we do need to remind ourselves on how to deal with passwords in a safe way until they die.

Categories: Cloud, IAG, IAM, Identity, Security, Strategy

Consuming Azure Mobile Services–1st step towards Identity on the Phone?

October 1, 2012 Leave a comment

Over the weekend I read an interesting blog series by Bruno Terkaly, titled “Introduction to Consuming Azure Mobile Services from iOS”. It has five parts, showing some basic principles on consuming Windows Azure Mobile Services with an iOS application on an iPad or iPhone. As a matter of fact, the complete issue of authenticating a user is missing in this blog series, but as Bruno is stating in his comment on the 5th blog post:

The portal will offer direct support for Authentication and Push notification for both ios and android.

So there might be an upcoming series on using authentication on iOS and / or Android, which might open the door a bit for the hot topic “Identity on the Phone” (do we already have IotP defined for that?) as it is completely missing in todays time having a smartphone being nearly everyone’s daily companion.

Here are the five blog posts on the topic:

Part 1 of 5: Introduction to Consuming Azure Mobile Services from iOS

Part 2 of 5: Introduction to Consuming Azure Mobile Services from iOS

Part 3 of 5: Introduction to Consuming Azure Mobile Services from iOS

Part 4 of 5: Introduction to Consuming Azure Mobile Services from iOS

Part 5 of 5: Introduction to Consuming Azure Mobile Services from iOS

So hopefully we do see any updates on his blog regarding the authentication topic, if he’s not already working on that. Looking forward to that.

Categories: Cloud, Identity, Mobility

IAM as the foundation to IT Chargeback?

September 26, 2012 Leave a comment

Some minutes ago I read an article from Joe McKendrick on ZDNet, headlined “Why private cloud services need to be market-priced”. Joe is just bringing up the fact, that organizations need to have their private cloud solutions priced internally to bring the cost back to their end-users and their business to provide a some numbers like for public cloud services.

He’s coming up with the following result out of surveys:

But that also means six out of 10 private cloud organizations don’t really have a way of connecting private cloud usage with specific users or departments.

So how to bridge that gap? Why not by Identity and Access Management? Having an Identity and Access Management Solution brings you into the situation of having the connection between specific users, their departments and the usage of not only cloud services. IAM should know employees user accounts in all connected systems, without taking care if those are classic systems like Active Directory, Exchange, private or public cloud systems or in the best case various file systems.

So the next step would be to calculate reasonable prices for all those services based on their typical overall cost. This is an complex process, but I’ve seen organizations going this way years before, while deploying the IT Chargeback module of my favorite IAM solution (former ActiveEntry, now Quest One Identity Manager) into their infrastructure.

So what I’ve seen in those organizations, where the process of finding reasonable prices for

  • Active Directory User Accounts
  • Exchange Mailboxes
  • a dedicated amount of mailbox size or home drive size
  • SAP User Accounts
  • dedicated IT services requested by using an access request portal

as well as the process of integrating those prices into the IAM solution and the Access Request Portal being the shopping window of the IT department towards the business.

So this could be easily extended to cloud services, public as well private ones, if they are connected to the IAM solution by direct or indirect provisioning or just the knowledge of the existence of user accounts, entitlements or resources in there.

What could be the output of that?

The output could be monthly “bill” to departments or cost-centers displaying their IT cost in the last billing period to bring the cost of IT back into the mind of business. The effect that I’ve seen in organizations having their IAM solution also being their IT Chargeback baseline was amazing: Cost-Center managers where taking notice of those bills and checking if it’s really necessary to have 35 employees in their department having access to really expensive services without having the need to. This enabled them to unsubscribe those services for dedicated users to save money on their budget. But this might have saved money also on the IT budget, for a smaller license package or whatever. So it was a win-win-situation for both sides: the IT department delivering IT services as an internal service provider and the end-users and departments while being service subscribers. And it’s also a good way to justify IT budgets transparent through organizations.

Categories: Cloud, IAM, IT Chargeback, Strategy