Microsoft taking on identity mgmt.
Microsoft's strategy revolves around Windows Server 2003, Active Directory and the revamped Microsoft Metadirectory Services 3.0, which is being renamed Microsoft Identity Integration Server (MIIS). MIIS is expected to ship next month.
InfoWorld: Vulnerability enables Passport account hijackings: June 30, 2003: By : Security
A newly disclosed vulnerability could enable attackers to reset the password and hijack older Microsoft .Net Passport accounts, according to a message posted to an online software vulnerability discussion mailing list.
Sun will buy Pixo for cash as part of its plan to make Java the main platform for mobile transactions. "The purchase also makes Sun a major player in the arena of digital rights and access management for mobile content distribution."
Pixo's technology will complement the Java Card Subscriber Identity Module (SIM). The swappable card can be moved from device to device while maintaining the user's identity, so that, as mobile devices become more sophisticated, a user could, for example download music to the PC then transfer it to an advanced mobile phone that included an MP3 player, or download games to a phone and a PDA using the same billing account and password.
Sun also said it plans to eventually roll Pixo into its Project Orion platform announced in February.
Cnet > Will Americans learn to love smart cards?
Informative interview with the CEO of ActivCard, revealing a lot about the state of the Smart Card sector of the digital identity industry. It indicates that the company has deals in hand that will deploy over 50 million cards, 80% to the U.S. government.
Note that as quickly as possible in the first question, he gets to his main talking point:
"It's all about managing identities."
Then the identity management trend is further indicated by:
"Companies are finding that they are already managing identity--but in a fragmented way. When they integrate it, then they actually get cost reductions. That is why this is taking off in the enterprise space."
An SPML interop demo is scheduled at Burton Group's Catalyst Conference July 9-11, 2003. SPML is an OASIS XML standards effort to allow identity management systems to exchange and administer user access rights across heterogenous system boundaries. OASIS says that BMC Software, Business Layers, Entrust, OpenNetwork, PeopleSoft, Sun Microsystems, Waveset, Thor Technologies, and TruLogica had endorsed SMPL.
There is some overlap of SPML with the WS-Security and WS-Policy specifications, so there is still sorting out to do. But this SPML interop marks a signficant step forward in allowing identity managment to extend beyond indivdual "islands of identity."
Glenbrook Adviosry Report : Rethinking Authentication : Excerpt
Today, in contrast, authenticators have suddenly struck gold. Like Moliere's character who discovered he had been speaking prose all along, some authenticators will discover they have always been "identity providers"; they just didn't know it.
The DoD is driving the integration, standardization, and interoperability of PKI, Smart Cards and Biometrics and that will help everyone in the end. In this article it is reported that the PKI strategy will be update in the next month or two to accdomodate what has been learned.
"Just months away from an October mandate that requires over 4 million active-duty, civilian, contractors and some reservists to use the department’s PKI-ready Common Access Card program for network authentication and digital signatures, the Defense PKI Office is looking ahead to the next wave of PKI"
PKI is currently one of the big sticking points in developing identity infrastructure. It is too expensive, inflexible, and difficult to deploy and manage. X.509 certificates have limitations as well. Microsoft recently announced that it will release a simplified and manageable PKI for Windows (details not yet available) and they have been pushing XrML certificates for enhanced capability. But this U.S. government project carries the clout to also innovate in the PKI arena in some desparately needed ways.
History will almost certainly show the CAC to have been one of the more seminal projects in identity technology development. It is forcing standards and interoperability and the development of scalable, deployable techniques for PKI, Smart Cards and Biometrics that are essential precursors of widespread deployment elsewhere. That's why statements such as "Two earlier hurdles, settling on smart-card readers and middleware, are no longer issues" are possible...
InfoWorld Special Report: Does identity management clash with privacy?
Several links to articles about ID Management appear on this page...
Working in conjunction with an identity management system should be a good privacy system with an emphasis on human interaction and judgment. To be effective, it must include a hierarchy of sensitivity that allows critical data to be treated and navigated differently as higher levels are attained, according to Larry Ponemon, chairman and founder of Ponemon Institute, a Tucson, Ariz.-based privacy research facility.
Do no harm: HIPAA's role in preventing ID theft - Computerworld
Although some industry experts tend to disagree, these covered entities are appealing targets for identity theft, the fastest-growing crime in the U.S. today. While not as obvious or attractive a target as financial services or e-commerce companies, these covered entities represent a significant opportunity for enterprising thieves, by virtue of the data that they process and store.
We talk a lot about the fact that Web Services simply cannot deploy without identity infrastructure. Here's a good illustration of why by Jason Bloomberg, Sr. Analyst at ZapThink. It shows a very simple example of a web service, and why it cannot be managed or secured without an identity management infrastructure first existing. This is about a simple an example as I've seen that demonstrates the *why* of the concepts involved.
XML allows standardized interfaces. Web Services is one of many ways of making IT become distributed, interoperable components. But it is identity that lets IT become organized, manageable, controllable, and secure.
It's good to see the world discovering that Identity is Center.
InfoWorld: Microsoft readies kit for security initiative: June 19, 2003: By Paul Krill: Security
The kit will give developers an early opportunity to work with the NGSCB code in preparation for developing applications that take advantage of the technology, according to Microsoft. The company hopes to introduce NGSCB itself in the Longhorn version of the Windows client operating system, which is due in 2005.
In addition, this version of BorderManager supports mobile users, biometrics, and smart card use. It also works with SurfControl, N2H2, and Connectotel and includes a client firewall.
Delta Air plans RFID bag-tag test - Computerworld
Wanna fly? Welcome to the world of Digital Identity - your bag is about to get one.
This story reminds me of the fact that a lot of people think Digital Identity is *just* about surfing the Net. In reality, it is mostly about areas that *aren't* that.
The key is this: digital identity is the intersection of the physical and electronic worlds.
Senator OK with zapping pirates' PCs | CNET News.com
Ah yes, the truly great solution of "log on, download music file, have your pc remotely destroyed".....the insanity grows. (An insanity that can only be stopped with Digital Identity, I might add -- but you knew that.)
VeriSign tracks buyers to fight e-fraud | CNET News.com
This story is important on several levels -- all of them interesting in the identity space.
1. the "erosion" of anonymity on the Internet.
Most folks are pretty oblivious to the *pain* the enterprise is in with regards to identity -- and since the late 90s were all about hooking the enterprise up to the Net, well -- it means the enterprise is pushing back. You see, Cluetrain was right -- markets are getting smarter faster than companies. But now those same companies are forming *markets* (that's what the Liberty Alliance is, a marketplace of companies demanding a solution) -- and *those* markets are getting smarter faster.
Its not an easy issue (anonymity), but I think a lot of people are gonna get uncomfortable with just one company being in the middle of it.
2. The Verisign/Msft complex: have you noticed the press releases lately? Something's going on over there between redmond and the registrar -- and its called a realization that identity is at the center of their business going forward.
3. There is a battle brewing: And i'm not talking about the one between WS-F and Liberty. I'm talking about the general unhappiness that is becoming evident around the way the major credit card companies are conducting themselves. Merchants (like Amazon) are now openly talking about revolt.
4. The cost of identity fraud (on merchants) is about to eat into their business. The boon that is the internet suddenly gets *more* expensive than a bricks and mortar -- and then the UK decides to tax internet purchases. Add it all up and the it means that the current system is about to change -- radically.
5. My gut says we're going to see the 2 Nets develop over the coming years. One will be the Net of today --- blogs and websites and anonymity. One will be the Net where transactions take place: focused on identity. I'd rather see a harmonious solution of convergence -- but it isn't looking promising.
One note: this article mentions that this service "works" with Verified by VISA. I'm sure it does, but, at least as I understand the structure of the Verified by VISA program, a merchant that uses it would have no need for this service.
Either way, the *cost* of preventing id fraud continues to rise...
Mercury News | 06/18/2003 | California financial privacy bill dies
Speier's bill would have required them to obtain customers' written permission before sharing or selling personal information with third parties.
It is interesting how the written word is somehow more powerful than the electronic one.....something for digital signatures and digital identity to solve, i'm sure.
Salesforce.com became the 174th member of the Liberty Alliance this week. Membership in the Liberty Alliance sends a shorthand message to potential enterprise customers that the online customer relationship management software company, which sells no packaged software, will comply with what is becoming accepted industry standards for security and a so-called federated or single network identity.
Single Network Identity?? I don't think I've ever heard that one used before ("network identity" yes; "single network identity" no).
Info With a Ball and Chain
A fairly balanced commentary by Stephen Levy on the subject of DRM. In it he quotes David Weinberger (who will be at this year's Digital ID World conference):
“I don’t think that DRM is in and of itself evil,” says David Weinberger, who recently published an essay in Wired titled “Copy Protection Is a Crime Against Humanity.” “But in the real world, it is evil. There’s no user demand for it. It’s being forced upon us by people with vested interests.”
Of course, I'd debate the "no demand" statement...I know of several large enterprise customers that are demanding, but then again, I don't think David meant *that* kind of demand.
The 2002 "Help America Vote" Act required any locality that accepts federal funds to have computerized voter registration in place by January 2006. Texas is the first to put such a system online, and theirs verifies voters at the polls by swiping the voter's driver's license.
This is a significant step towards making the Texas Driver's license an ID card, not just a certificate of driving priviledges. Legal compliance and speed at the polls are touted advantages...
Wal-Mart announced that they have set January 2005 as the date that suppliers must have RFID implemented. This has been building for some time and many in the industry have been looking for this to force RFID deployment in the retail supply chain.
The RFID story has two very different vectors, and one - MIT's Auto-ID EPC effort - is the one involved here. This is what is often referred to as "license plate RFID" meaning that the RFID processor is as dumb as possible, only sending what is in essence its name and/or serial number. There are several companies who build middleware that integrate this type of RFID info into SAP applications and other supply chain management applications to provide
The goal of EPC based RFID is to drive the cost of what truly are RFID "tags" down below a nickel each, so they can become as widely used as the Bar Code UPC tags. This vector gives rise to the widespread misunderstanding of RFID as "just a better barcode."
The other vector of RFID efforts is much smarter tags, some active (powered) some passive (draw their power from the RF reader) that can be both read/write and have significant computing power in them. Development in this category has been driven by the DoD, and also by mass transit applications, but has much larger potential. This category also crosses lines with contactless smart cards in some instances, and in others RFID tags spontaeously create wireless networks to communication position data, sensor data (temperature, G-forces, etc.) and drive reader requirements down. In the extreme case active RFID networks can communicate directly to satellites eliminating readers altogether, allowing deployment over wider areas, and in areas where deployment doesn't have to be pre-planned.
When you hear discussions of RFID, it is important to keep these vectors separated. One is focused on dumbing down the tag to the lowest possible cost so that inexpensive physical items can incorporate it - that is, it's driving to become a ubiquitous "label" that enables supply chain visibility at the lowest levels. The other is focused on higher value points in the supply chain, and also in many other application arenas. It is aiming to both bring further visibility to all parts of the network, and improve security and convenience in many ways.
All of these RFID systems must eventually integrate into the larger computing network infrastructure, and there the battles of standards, interoperability, etc. are pretty much the same as in all technologies. The real large scale value is only released, however, when that integration is acheived and componetized. This is why large projects that actually deploy are so important - they drive standards.
At the RFIDLive conference, Kevin Ashton, Executive Director of MIT's Auto-ID Center, reminded us what this RFID stuff is all about - putting a fully networked computer in everything that humans make. For indeed, that is what RFID is ultimately all about. His push for open standards, scalable systems, etc. all related to the truly unbelievable volume of networked computers that RFID represents. How many people can tell you off the top of their head how many bits of storage it takes to number every atom in the universe? (A. 256 bits does it with lots of room left over.)
One example of the network impact: making RFID part of all the products made by just 14 companies would add half a trillion computers to the network every year.
Ashton painted a picture of a world where RFID could be presumed that definitely made you think. He pointed out that for 30 years, computer scientists have tried and failed to solve the problem of making light become data for robots and computers - something the human eye does easily. If RFID was ubiquitous, however, robots could easily identify and avoid, approach or otherwise interact with any object in a room.
But the real deployment drivers for RFID are going to be in the supply chain. When you are making, handling, and tracking a billion objects a year as many companies do, the potential for savings are immense.
On another note, something I should have known from my aerospace experience but had forgotten - when RF is involved, it's all about antennas. Turns out that is the largest expense item for RFID readers, and the place where standardization is slowest to appear. And FCC certification requirements don't help either...
InfoWorld: Sun beefs up ID management products: June 11, 2003: By : Security
The increasing interest among organizations in deploying Web services as well as tough new regulatory requirements that mandate better protection of corporate information assets are driving interest in Sun' Identity Management products, according to Andy Eliopoulos, director of business management for Identity Management at Sun."Identity management is fundamental to Web services. Without it, you've got no Web services," he said.
Is RFID the mark of Satan, a tool for Big Brother, or just a technology that could someday connect a billion inanimate objects to the Web?
Radio ID tags get Microsoft backing | CNET News.com
Microsoft is enlisting in a venture designed to help develop standards for radio frequency tags intended for use by retailers and manufacturers to track goods.
The DOD's Common Access Card (CAC) is the largest smart card deployment by the U.S., and it reached a deployment milestone by crossing the half way point on time. There are now 900 enrollment locations active, and it looks like the full 4.3 million enrollments will occur by the end of this year as planned.
The big news item here is the following:
"One of the most obvious improvements would be to tie together back-end systems for physical and logical access. Industry and government representatives are in the process of writing standards that would allow integration of the two kinds of systems."
This program has already created and propogated interoperability standards in many areas. If it succeeds in standardizing the integration of physical access and computer authentication via smart cards it would be a huge step forward.
Meanwhile, proposed federal legislation may introduce nationwide data protection requirements. Bill S.228, the Social Security Number Misuse Prevention Act, prevents commercial entities from collecting Social Security numbers entirely in many cases. Bill S.223, the Identity Theft Prevention Act, tackles the credit card number problem by requiring any business that accepts credit cards to include no more than the last five digits of the card number or the expiration date on an electronic transaction receipt.
Story: How GPS technology could violate your privacy - ZDNet
Quoting Coursey: "This technology is neither inherently good nor bad; it's what you do with it. "
Wal-Mart to throw its weight behind RFID | CNET News.com
RFID spending will be "bigger than...Y2K," predicted AMR Research analyst Pete Abell. "I imagine there will be a rush on investing in RFID."
This article about LinkedIn a social software networking system being designed and trialed by Reid Hoffman, indicates both what might be important about such software, and also illustrates why digital identity is critical in making this type of software useful.
I have followed this arena for a while now, and am always amazed that those who are innovating in this realm don't see the central nature of identity to what they are doing. That can be blamed on many things, from political outlook to what their background in computing is, but it is always stunning to me. This type of software, even more than most, cannot begin to deliver without strong identity-centric design.
It must "know" who belongs, where they fit in the social structure being virtualized, how to protect access to their information and their time and in general how to treat them and their information. Only digital identity techniques will allow that to happen smoothly.
One more example of why "Identity is Center".
InfoWorld: FTC forum: No one easy way to protect privacy: June 05, 2003: By : Security
Reeder's comments followed a morning discussion about business tools available for protecting consumer information, including IBM's Tivoli privacy software, Intel's LeGrande hardware-based security architecture, and the Liberty Alliance's identity management project.
At the Microsoft TechEd conference, it was announed that MS and VeriSign will team up to create a next generation PKI capability. The goal is to bring "ease of use, interoperability and integration" to PKI, something it hasn't yet seen.
"It will take Windows features and add PKI enhancements to handle things like automated renewal of digital certificates, securing of e-mail and digital signatures, and securing of access to wireless LANs or virtual private networks, the companies said."
According to this articleVermont and New Jersey are looking to use Digimarc's watermarking system on their driver's license. They will be using it primarily as an anti-counterfeit method, proving such things as that the license and its photo really belong together.
This highlights that digital identity technology can be used with a high degree of granularity, and tasks can be profitably approached in quite small steps. Yes it is still quite easy to fake enough credentials to trick the DMV into issuing you a false license, but that is a much smaller portion of the problem than the many purely counterfeit licenses issued every day in basements across the nation. Just making driver's license counterfeiting impossible for most of those who sell fake IDs will greatly strengthen that source document, even though it leaves most of the problems unaddressed. And it doesn't create any new privacy or other issues.
Help Net Security
On July 1st, 2003, Civil Code 1798.82 will go into effect in the state of California. This law states that any person or company "doing business" in California must notify residents of a breach to non-encrypted information. Sounds interesting, right? Almost harmless, right?
Question: How many businesses have the identity management systems in place to manage individual customer identities with this fine-grained an approach? Big businesses, maybe. Small to mid-size businesses - no way.
Someone please get Orlando Ayala (Msft's guy in charge of the small to midsize business market) on the phone. I think his active directory sales are about to go up.
Internet Week > Remote Access > Mid-Sized Insurance Company Uses Novell Nsure For Secure Remote Access > May 30, 2003
Enterprise Identity Management packages seem to be entering a new phase in their deployment, something I'll term the "hub and spoke" model. Essentially, the Hub and Spoke model is very useful for a distributed enterprise -- a central organization with affiliates or sales people or partners that are spread out. Enterprise Identity Management is making headway into solving the problems of this niche -- this article explores one instance.
September 2005
August 2005
July 2005
June 2005
May 2005
March 2005
February 2005
January 2005
November 2004
October 2004
September 2004
June 2004
March 2004
February 2004
January 2004
December 2003
November 2003
October 2003
September 2003
August 2003
July 2003
June 2003
May 2003
April 2003
March 2003
February 2003
January 2003
December 2002
November 2002
October 2002
September 2002
