A a very high level, the strategy calls for the formation of a standards-based interoperable identity ecosystem to establish trusted relationships between users, organizations, devices, and network services. The proposed identity ecosystem is composed of 3 layers: An execution layer for conducting transactions, a management layer for identity policy management and enforcement, and a governance layer that establishes and oversees the rules over the entire ecosystem.

There is way more detail that is far beyond this blog but suffice it to say the document is well thought out and pretty comprehensive in terms of its vision. This is exactly the kind of identity future we need to make cloud computing a reality. Kudos to Federal Cyber coordinator Howard Schmidt and his staff for kicking this off.

I will post my feedback on the official website, but a few of my suggestions are as follows:

1. Build on top of existing standards. The feds should rally those working on things like Project Higgins, Shibboleth, Liberty, Web Services, Microsoft Geneva, OpenID, etc. Getting all these folks marching in the same direction early will be critical.
2. Get the enterprise IAM vendors on board. No one has more to gain — or lose — than identity leaders like CA, IBM, Microsoft, Novell, and Oracle. Their participation will help rally the private sector.
3. Encourage the development of PKI services. PKI is an enabling technology for an identity ecosystem but most organizations eschew PKI as too complex. The solution may be PKI as a cloud service that provides PKI trust without the on-site complexity. This is why Symantec bought the assets of Verisign. The Feds should push Symantec and others to embed certificates in more places, applications, and devices.

There will be lots of other needs as well. The document recommends identity and trust up and down the technology stack but it doesn’t talk about the expense or complexity of implementing more global use of IPSEC, BGPSEC, and DNSSEC. There is also the need for rapid maturity in encryption, key management, and certificate management. Good news for RSA, PGP, nCipher (Thales), IBM, HP, Venafi, and others.

The key to me is building a federated, plug-and-play, distributed identity ecosystem that doesn’t rely on any central authority or massive identity repository. This is an ambitious goal but one that can be achieved — over time — if the Feds get the right players on board and push everyone in the same direction.

You can read Jon’s other blog entries at Insecure About Security.

I anticipate a similar upheaval over the next few years around Identity and Access Management (IAM). I am defining IAM as the processes, tools, and data used to connect users to IT services in a secure and well managed fashion.

I firmly believe that much of the IAM infrastructure in place today just won’t cut it over the next few years. Additionally, the transition won’t be based upon product upgrades, new features, and niche vendors. Like the transition from host-based to client/server computing the whole enchilada will be blown up and put back together in a completely different way.

There are lots of reasons for this IAM metamorphosis, but here are a few that top my list:

1. IT consumerization. The global population of consumers dwarfs the biggest organizations and these folks want access to personal and business services without having to register, create a profile, or generate another password. The IAM model that simplifies life for consumers will likely influence what happens in the enterprise.
2. Device proliferation. User identity isn’t enough anymore; we need device identity as well. Why? The policies, rights, and content I receive on my Blackberry is inherently different from what I get on my Windows PC. Device security is also an important criteria for network access.
3. Cloud computing. As enterprise IT heads to the cloud, IAM goes along for the ride. This demands intelligent federation rather than enterprise centralization.
4. Security. Overcoming social engineering attacks, Web threats, and fraud demands a new level of ubiquitous trust. Before I click on a link or connect to a DNS server, I want to know that these connections are real and authentic.

In combination, all these trends introduce unprecedented scale, complexity, security, and distributed architecture requirements to today’s central IAM model. This is a complete mismatch.

I realize I’m not the only one who recognizes this. The U.S. Federal Government just put out a draft paper titled, “National Strategy for Trusted Identities in Cyberspace,” that examines the problem and suggests some solutions. More on this document soon. Clearly, this is a big issue that demands a lot of academic, industry, and enterprise input. I’ll be tracking progress!

Read more of Jon’s blog entries at Insecure About Security.

The list of presenters included:

Mr. Scott Charney
Corporate Vice President, Trustworthy Computing
Microsoft Corporation

Mr. Daniel Burton
Senior Vice President, Global Public Policy
Salesforce.com

Mr. Mike Bradshaw
Director, Google Federal
Google Inc.

Mr. Nick Combs
Chief Technology Officer
EMC Federal

Mr. Gregory Ganger
Professor, Electrical and Computer Engineering
Director, Parallel Data Lab
Carnegie Mellon University

I read some of the transcripts.  Here’s what I found interesting.

1.  EMC’s Combs defined the cloud for the politicos using the National Institute of Standards and Technologies (NIST) definitions – which are:

• Private Cloud is infrastructure deployed and operated exclusively for an organization or enterprise.  It may be managed by the organization or by a third party, either on or off premise.
• Community Cloud is infrastructure shared by multiple organizations with similar missions, requirements, security concerns, etc.  It also may be managed by the organizations or by a third party on or off premise.
• Public cloud is infrastructure made available to the general public.  It is owned and operated by an organization selling cloud services.
• Hybrid cloud is infrastructure consisting of two or more clouds (private, community, or public) that remain unique entities but that are tied together by standardized or proprietary technology that enables data and application portability.

Huh.  These seem like reasonable definitions.  What have we been arguing for?

Second, no real surprise, security was the big thing.  Rightfully so.  The U.S. government lacks the process and competency that most private enterprises leverage, and the panel was telling them to get their act together.  Duh.

In Combs’ closing remarks, he said: (I italicize the things I found compelling).

“I again thank the Committee for allowing EMC and I to contribute to this very important effort.  IT is on the verge of dramatic change; cloud computing has the potential to have the most significant impact on IT since the development of the microprocessor. We have to remain focused to ensure we get it right.  This will be a journey and we will realize benefits at many points along the way and it will provide organizations with much greater flexibility to meet the demanding needs of our federal government.  Admittedly, security is a top concern, but the technology and best practices exist to address that risk.  A critical part of the solution lies in engineering security into the cloud, not bolting it on as an afterthought. Ultimately, cloud computing offers great potential for federal information technology, and federal departments and agencies should be encouraged to embrace that potential.”

We, however, are a society (IT) of bolt-ons.  I’m sure Combs’ commentary was meant to be self-serving–he’s an EMC guy after all–but the point is still valid.  If you buy into the “build it in” mentality, and it’s hard not to, then who are those capable of really doing so?  If the cloud truly does become the next great long-term technology (IT) trend, and if bolt-on approaches to core functionality such as security are NOT the way of the future – then what happens to that big giant market as we know it?  Those who secure our end-points will not be those securing our clouds.

Interesting.

Read Steve’s other blog entries at The Bigger Truth.

Fast forward to yesterday’s news about Symantec acquiring Verisign‘s security business. Yes, SSL certificate sales drove Verisign security revenue, but Symantec gets a heck of a lot more with this acquisition. Add Verisign to PGP and Symantec, and you get:

1. End-to-end trust. Symantec can now create an infrastructure where any user or node can set up a trust relationship with any other user or node. The SSL and PKI parts are not new, but when Symantec bundles a digital certificate in every Norton desktop, you have the potential to bring PKI to the masses.
2. PKI as a service. In a related way, Symantec has the scale and reach to marry the security power of PKI with a global SaaS service. In my opinion, this is a home run as it capitalizes on PKI’s trust model while eschewing its onerous deployment and management. Furthermore, Verisign can now act as a CA for PGP keys as well. Authentication? Digital signatures? Non-repudiation? Symantec has the opportunity to take these geeky terms and apply their goodness. We’ve been talking about the “year of PKI” for 15 years; Symantec now has the opportunity to make it happen.
3. Key management SaaS. While PKI is used for authenticating users and signing documents, PGP can act as the backend data encryption/decryption for large files. PGP’s onsite key server can also leverage Verisign in the cloud. Afraid to manage keys? Need a key escrow service? Call Symantec.

Finally, it is fashionable to talk about cloud computing and how cloud security is the long straw. If you it boil down cloud security, however, some of the key components are identity management, data security, and compliance management. Verisign covers the identity piece, PGP handles data security, and Symantec already has a leading IT GRC platform. Symantec can now sell you the pieces or provide the whole enchilada as a SaaS cloud service.

If this isn’t an exciting security business model, nothing is.

Read more of Jon’s blog entries at Insecure About Security.

For the most part, this announcement flew under the radar of most people but it may be far more significant than a simple technology integration play for several reasons:

1. OpenID is an industry standard with good but not great support. With Google’s muscle, OpenID may be more widely embraced by other cloud and SaaS providers.
2. OpenID has other user benefits besides SSO. With OpenID, a user can choose which personal information they choose to share. This can help users protect private data.
3. OpenID can provide SSO for the Internet. Google could become an identity broker or leave it to others like PingIdentity to do so. As a result, I can log-on once, go to secure sites, and rely on my identity broker to log me in. This eases log-on for users, eliminates the need to manage and secure multiple passwords, and bolsters security.

There are other standard and open source identity efforts like Project Higgins (backed by IBM and Novell) and Microsoft’s recently announced U-Prove technology. Now that Google is on board with OpenID,  I hope we can start to merge these efforts and get the most out of each.

Internet identity is broken right now and we need a solution. Kudos to Google for recognizing this and supporting OpenID, an industry standard, rather than sending users down yet another proprietary path.

Read Jon’s other blog entries at Insecure About Security.

via PGP Offers Enterprise Key Management To Consolidate Encryption Control – Network Computing.

I doubt whether this year’s conference will be as lethargic. Security spending is on the rise and new regulations around data protection and breach notification are making their way through congress. With this as background, I believe the hot topics at this year’s conference will include:

1. Network security. ESG’s research indicates that this is the biggest security priority for most large organizations. I expect to hear about virtual devices and lightning fast multi-function security gateways. Good news for Cisco, Crossbeam, Fortinet, Juniper, and McAfee.
2. Endpoint security. There seems to be a renaissance in this category as endpoint agents consolidate and offer enhanced security protection. Advantage Kaspersky, Sophos, and Symantec.
3. Cloud security. There will be a lot of hype here about this security widget and the next, but the two real interesting things will be cloud security strategy (look for the good work done by the Cloud Security Alliance), and security SaaS. Cisco’s reputation service and Trend Micro’s Smart Protection Network are prototypical applications here.
4. Identity management. I expect massive changes in this area over the next few years as models like OpenID, Shibboleth, and PKI as a service take off. Lots of folks to talk to here including CA, IBM, Novell, and Oracle (if Oracle will answer my calls, that is), and PGP.
5. Data security. I’m hoping that the discussion is less about tactical technologies like DLP, eRM, and encryption and more about enterprise efforts around data security and information governanace. HP and IBM will have a lot to say here.
6. Cybersecurity. The Federal government is ramping up several efforts to bolster government security and improve security within critical infrastructure protection industries. Hopefully, I will have a chance to speak with DHS, US-Cert, and NSA about this.

The RSA Conference is a tale of two cities. Half of the people there are talking and learning about real security problems and strategies while the other half yacks about products. I’m hoping that my time is spent on the former.

Read more of Jon’s blog entries at Insecure About Security.

via PGP Enters Identity Management Space with Acquisition – Security news from Channel Insider.

Okay, some of you may think that this is simply a way to spin PKI (public key infrastructure) into marketing-speak and you are right to some extent. Why bury the PKI lead? Unfortunately, there is stigma around PKI that has lingered for years. In the past, few applications supported PKI and enterprise PKI servers were simply too difficult to install and manage. Yes, security professionals understand the benefits of PKI, but they were scared to death of it thanks to implementation, customization, and administration horror stories.

TC TrustCenter and ChosenSecurity didn’t change PKI, they simply mastered it and made it virtually transparent to customers. As a result, PKI can be embedded into applications, identities, and systems as a service.

To me, this acquisition has upside potential for PGP far beyond existing business growth because:

1. PKI may be the perfect SaaS offering: It offers tremendous value without the resource commitment in skills, product acquisition, administration, etc.
2. What’s one of the things that is broken on the Internet? The element of trust. If I don’t know if a site is trustworthy, how can I be sure if downloaded software will perform as advertised or turn my system into a zombie? The same holds true for systems, individuals, transactions, etc. PKI, if implemented and managed correctly by a trusted third-party, can help address this problem.
3. In my humble opinion, PKI as a service will be baked into a lot of things in the future (like cloud computing, for example).
4. I don’t know how much business PGP does with the U.S. federal government or other national governments now, but it just put itself in a position to do a heck of a lot more.
5. Finally, when we encrypt most of our data in the future, someone will have to manage millions of net new encryption keys. PGP is now in a position to act as a key management or key escrow service.

I could go on and on, but I won’t. I’ve always been one of few fans of PKI, so PKI as a service brings out the excitable geek in me. Obviously, some of the folks at PGP share this enthusiasm.

Read more of Jon’s blog entries at Insecure About Security.

via PGP to Acquire TC TrustCenter for Cloud-Based Identity Management – Security from eWeek.