Archive for 'Security/identity'

New: Modern authorization systems and XACML

Over on the Forrester blogs, I take a look at XACML, advocating that it needs to refactor heavily to meet mobile/cloud authorization policy needs. UMA as a potential enterprise “access management 2.0″ solution makes an appearance as well. Quoting the post: “Would an XACML.next that concentrates on ‘growing the pie’ for declarative authorization policy be valuable? Would an integration of web and post-web access management help you achieve your goals?” If you have thoughts on this, check out the post and let me know…

Consensual impersonation is delegation done very wrong

I’ve got a new post up on the Forrester blogs about “consensual impersonation”, which is what happens when you give your password to someone else so they can do something from your account. As Paul Madsen points out, it’s “another manifestation of the password anti-pattern”, and it’s a use case whose legitimacy — at least some of the time — we haven’t really thought about. Head over there to see if I manage to avoid mentioning UMA. (Hint…)

New post: Make A Resolution: Kill Your P@55W0rD Policies

Over on the Forrester blogs, I’ve got a post meant to inspire IT folks to think outside the box when it comes to passwords. Nix password policies? Hey, a girl can dream.

Speaking of resolutions, I have a goal to blog more often in the new year. At least it will help with brain house-cleaning. Last Wednesday was my eighth blogiversary and I didn’t even commemorate it, sigh.

Happy 2013, everyone!

New post: Venn of access control for the API economy

Up on the Forrester blogs, I present a new Venn diagram that compares OAuth, OpenID Connect, and UMA. A number of people contributed to the final form of this one, which we presented in a Google Tech Talk a couple of weeks back. Thanks to all of the following folks (listed in no particular order) for their feedback!

By the way, we’ve got another UMA Twitter chat coming up this Wednesday morning at 9am Pacific. For details, visit http://tinyurl.com/umachat. Spread the word, join us, and get all your questions answered…

New: strong authentication research: “bring your own token”

Over on the Forrester blogs, I talk about my just-published TechRadar™ on strong authentication, and the term we came up with for leveraging the devices, apps, and communications channels you already have for logging-in purposes: bring-your-own-token. BYOT. Like BYOD. (Geddit??)

(Note to Paul: No, not that BYOT… Your timing on that post absolutely killed me.)

New: Musings on SCIM after IIW

Over on the Forrester blogs, I talk about the latest progress on Simple Cloud Identity Management (SCIM), as seen and discussed at IIW.

(I’ll be at Forrester Security Forum November 9-10, in lovely Miami — you going?)

New: Report contemplating OAuth and “Zero Trust identity”

Is it possible for an enterprise to turn itself inside-out? Apparently so. I’ve got a new post up on the Forrester blogs that discusses the “Zero Trust” aspect of enterprise security that a number of companies are addressing with various clever uses of OAuth.

New: “Participating In Markets For Portable Identities In The Cloud: What’s The Coin Of Your Realm?”

I’ve got a new post up on the Forrester blogs, discussing a “markets for portable identity” angle on my latest research report (which is full of Venn goodness!), and how SAML, OAuth, and OpenID are “hard currencies.”

You could take this theme pretty far. Does SAML-OAuth bridging have any elements of arbitrage about it? Is assurance leakage in protocol translation like the lousy currency exchange rates at those little van kiosks in airports? Maybe that’s far enough…

New: “Protecting Internal APIs – Is OAuth Ready For Its Closeup?”

Check out my new post on the Forrester blog, looking to hear about your experience and opinions on the use of OAuth to secure your internal app landscape. You know you have stories. I know you have stories. So why not share them??

I hosted a session at IIW last week to start collecting data around this topic, impishly/illicitly called Two Legs Good? (since the OAuth community keeps trying to quit the “legs” habit but can’t seem to manage it). Session notes are at the link. IIW totally rocked this time; thanks to the organizers and all who contributed to making it great!

In order to encourage you to comment over on the other site, I’ve turned off comments here (boy, does that feel weird…). If you prefer to weigh in with 140 characters’ worth of wisdom, just be sure to use the hashtag #Forr2Legs so I’ll see it.

How UMA deals with scopes and authorization

The UMA group has been quite busy of late. Like several other efforts (don’t miss John Bradley’s OpenID ABC post or anything Mike Jones has been blogging in the last few months), we’ve been gearing up for IIW 12 as a great place to try out our newest work, figure out the combinatorial possibilities with all the other new stuff going on, and get feedback.

Newcastle University’s SMART project team will be in Mountain View again, discussing their UMA implementation and UX work. And vice-chair Maciej Machulak and I plan to convene a session to share our draft solution for loosely coupling an OAuth authorization server and resource server to solve for externalized authorization and interoperable scoped access in the UMA context.

Back in February, a bunch of us tried discussing this very subject in Twitter and got pretty far, but it took Paul Madsen to put the whole story together in his blog post Way more than 140. And loving it. Check it out.

Essentially, UMA is choosing to give the host (resource server) more autonomy than it would typically have in a tightly coupled environment, so that it’s not entirely accurate to say it’s a mere policy enforcement point (PEP) and the authorization manager (authz server) is a full policy decision point (PDP). This seems to make good sense in a totally open-Web environment. However, “the full PDP” is an optional feature we could probably add if there’s interest.

The really interesting thing is that, to make externalized authorization work, we’ve had to go “radically claims-based”. The model seems very powerful and generative — it gives the power to upgrade and downgrade granted scopes at will! But it does take a step or two back from pure OAuth 2.0 as a result. This is something I’m keen to discuss with folks in and around IIW; we’ll be presenting these slides to that end.