Identity Disorder Podcast, Episode 4: The Rodeo of Things

identity-disorder-speakers-ep004

In episode 4, Daniel and Chris are pleased to welcome one of ForgeRock’s founders, Victor Ake. Victor gives his insight into the Identity of Things, talking the differences between constrained and unconstrained devices, how IoT brokers work, securing IoT devices using identity standards, and how microservices fit in to the picture. Other topics include airport hotels, wrestling, and–wait for it–the rodeo.

Episode Links:

ForgeRock IoT Page:
https://www.forgerock.com/solutions/devices-things/

ForgeRock Identity Summit in London and Paris
https://summits.forgerock.com/

All upcoming ForgeRock events:
https://www.forgerock.com/about-us/events/

Blockchain for Identity: Access Request Management

This is the first in a series of blogs, that will start to look at some use cases for leveraging block chain technology in the world of identity and access management.  I don’t proclaim to be a BC expert and there are several blogs better equipped to tackle that subject, but a good introductory text is the O’Reilly published “Blockchain: Blueprint for a New Economy”.

I want to first look at access request management.  An age old issue that has developed substaintially in the last 30 years, to several sub-industries within the IAM world, with specialist vendors, standards and methodologies.

In the Old Days

 

Embedded/Local Assertion Managment
 
So this is a typical “standalone” model of access management.  An application manages both users and access control list information within it’s own boundary.  Each application needs a separate login and access control database. The subject is typically a person and the object an application with functions and processes.
Specialism & Economies of Scale
 
So whilst the first example is the starting point – and still exists in certain environments – specialism quickly occured, with separate processes for identity assertion management and access control list management.
Externalised Identity & ACL Management
So this could be a typical enterprise web access management paradigm.  An identity provider generates a token or assertion, with a policy enforcement process acting as a gatekeeper down into the protected objects.  This works perfectly well for single domain scenarios, where identity and resource data can be easily controlled.  Scaling too is not really a major issue here, as traditionally, this approach would be within the same LAN for example.
So far so good.  But today, we are starting to see a much more federated and broken landscape. Organisations have complex supply chains, with partners, sub-companies and external users all requiring access into once previously internal-only objects.  Employees too, want to access resources in other domains and as-a-service providers.
Federated Identities

This then creates a much more federated landscape.  Protocols such as SAML2 and OAuth2/OIDC allow identity data from trusted 3rd parties, but not originating from the objects domain, to interact with those resource securely.

Again, from a scaling perspective this tends to work quite well.  The main external interactions tend to be at the identity layer, with access control information still sitting within the object’s domain – albeit externalised from the resource itself.

The Mesh and Super-Federation

As the Internet of Things becomes normality, the increased volume of both subjects and objects creates numerous challenges.  Firstly the definition of both changes.  A subject will become not just a person, but also a thing and potentially another service.  An object will become not just an application, but an autonomous piece of data, an API or even another subject.  This then creates a multi-point set of interactions, with subjects accessing other subjects, API’s accessing API’s, things accessing API’s and so on.

Enter the Blockchain

So where does the block chain fit into all this?  Well, the main characteristics that can be valueable in this sort of landscape, would be the decentralised, append-only, globally accessible nature of a blockchain.  The blockchain technology could be used as an access request warehouse.  This warehouse could contain the output from the access request workflow process such as this sample of psuedo code:

{“sub”:”1234-org2″, “obj”:”file.dat”, “access”:”granted”, “iss”:”tomorrow”, “exp”:”tomorrow+1″, “issuingAuth”:”org1″, “added”:”now”}

This is basic, but would be hashed and cryptographically made secure from a trusted access request manager.  That manager would have the necessary circle of trust relationships with the necessary identity and access control managers.

After each access request, an entry would be made to the chain.  Each object would then be able to make a query against the chain, to identify all corresponding entries that map to their object set, unionise all entries and work out the necessary access control result.  For example, this would contain all access granted and access denied results.

 

A Blockchained Enabled Access Requestment Mgmt Workflow
 
So What?
 
So we now have another system and process to manage?  Well possibly, but this could provide a much more scaleable and interoperable model with request to all the necessary access control decisions that would need to take place to allow an IoT and API enabled world.
Each object could have access to any BC enabled node – so there would be massive fault tolerance and elastic scaling.  Each subject would simply present a self-contained assertion.  Today that could be a JWT or a token within a proof-of-possession framework.  They could collect that from any generator they choose.  Things like authentication and identity validation would not be altered.
Access request workflow management would be abstracted – the same asychronous processes, approvals and trusted interactions would take place.  The blockchain would simply be an externalised, distribued, secure storage mechanism.
From a technology perspective I don’t believe this framework exists, and I will be investigating a proof of concept in this area.

This blog post was first published @ http://www.theidentitycookbook.com/, included here with permission from the author.

Top 5 Security Predictions for 2016

It's that time of year again, when the retrospective and predictive blogs come out of the closet, just before the Christmas festivities begin.  This time last year, the 2015 predictions were an interesting selection of both consumer and enterprise challenges, with a focus on:


  • Customer Identity Management
  • The start of IoT security awareness
  • Reduced Passwords on Mobile
  • Consumer Privacy
  • Cloud Single Sign On

In retrospect, a pretty accurate and ongoing list.  Consumer related identity (cIAM) is hot on most organisation's lips, and whilst the password hasn't died (and probably never will) there are more people using things like swipe login and finger print authentication than ever before.

But what will 2016 bring?


Mobile Payments to be Default for Consumers

2015 has seen the rise in things like Apple Pay and Samsung Pay hitting the consumer high street with venom.  Many retail outlets now provide the ability to "tap and pay" using a mobile device, with many banks also offering basic contactless payments on debit cards.  The limit for such contactless payments, was recently upped to £30 in September, making the obvious choice for busy interactions such as supermarkets and coffee shops.  This increased emphasis on the mobile representing an identity, will put pressure on mobile's ability for secure credential storage and the potential for fraud and payment data theft.


Internet of Things Data Sharing to be Tackled

IoT is everywhere.  The "web of things", the "internet of everything", each week a new term is coined.  The simple fact is that millions more devices are coming on line, and are generating, collecting and aggregating data from a range of sources - both personal and machine related.  That data needs to be effectively shared using a transparent consent model.  Individuals are more accurately aware than ever before, that their data can be used in a myriad of different ways - some for service improvement but some maliciously.  3rd party data sharing is inevitable, if the true benefits of the IoT world are to be realised - but that data sharing requires real consent and revocation capabilities using standards such as User Managed Access and others.


EU General Data Protection Regulation Brings New Organisational Challenges

The recent change in the EU GDPR, will bring challenges for many organisations looking to leverage the power of digital transformation or harness the power of cloud.  The new EU changes, provide a clear message, regarding the use and management of user data, with powerful fines now acting as a large incentive for compliance and process redesign.  Many end users and consumers are becoming fully aware of how powerful their data can become, when combined with things like tracking, marketing or analytics and full and proper control over that data should be made available.


An Increase in Device Pairing & Sharing

The increase in house hold and consumer devices with "smart" capabilities is leading to a more "pin and pair" ecosystems for things like smart TVs, connected cars, home heating systems, fridges and more.  The ability for a device to be linked to a physical identity, brings a brand new set of use cases for identity impersonation, data sharing and personalisation.  The ability for a TV to be linked to a physical person and not just a household for example, brings interesting use cases for personalised content delivery.  The pairing of devices will probably leverage existing authorization standards such as OAuth2, where quick and simple revocation will help to increase confidence in how physical identities can be linked and revoked from devices.


Every Company Will Have a Blockchain R&D Team

The Bitcoin revolution seems to have hit the top of the "peak of inflated expectations", with the effective delivery still some 5 to 10 years away.  However, the capabilities of the blockchain architecture are starting to visit new non-currency related use cases, such as intellectual property protection, art copyrighting, access request cataloguing and more.  The interest in the distributed and hashed nature of the blockchain, make new transparent data sharing and decision point architectures a potential weapon in the security architect's arsenal.  Whilst many of the capabilities and features may need implementing, many organisations will be looking on with keen eyes, to see if this ecosystem can start to deliver on it's early promise.


Will be interesting to see what 2016 brings.  One thing is for sure, that information security has never been such a concern for many organisations in both the private and public sector.

Happy holidays and see you in 2016!

By Simon Moffatt





Identity Summit London 2015

Mike Ellis, ForgeRock CEO at London Identity SummitLast week, ForgeRockhosted the London edition of the Identity Summit 2015. It was a great event, very successful with over 200 attendees to discuss identity, digital transformation and IoT.ForgeRock Identity Summit London Attendees

My coworker Markus has published a detailed recap of the Summit, so I leave you with my usual picture gallery. Enjoy !

Screen Shot 2015-10-14 at 18.26.19There will be two other Identity Summits in November this year. One in Amsterdam on November 5, one in Düsseldorf on November 12. If you haven’t registered yet, it’s still time !


Filed under: Identity Tagged: conference, digitalTransformation, europe, ForgeRock, identity, Identity Relationship Management, iot, London

techUK: Securing the IoT – Workshop Review

This week saw the techUK host a workshop on securing the Internet of Things and overcoming the risks associated with an increasingly connected world. The event (#IoTSecurity) attracted a variety of speakers from the public and private sector and brought about some interesting topics and further questions on this ever changing landscape.

Embedded Device and Host Device Life Cycle Disparity

Stephen Pattison from ARM, introduced the event, and brought up and interesting view of the challenge with keeping IoT devices up to date - either with firmware, software or hardware improvements.  He observed there is often a disparity between the small inexpensive sensor, actuator, or controller type components and the host device with respect to life span.  For example, a car may last 15 years, whilst a tracking component may last 36 months.  The rip and replace nature of general consumerism has subtle issues with respect to the IoT landscape, where the re-provisioning of new embedded devices, or the improvement in existing devices is often overlooked.

IoT Security Issues versus Opportunities

Duncan Brown, European Security Research Director at IDC, outlined some of the key problems facing the IoT landscape from a security perspective.  The main factors contributing to the security issue, can basically be broken down into the number of physical devices and the amount of data those devices generate.  The sheer volume of connected devices, opens up a new attack vector, with often the network these devices operate on, only being as secure as the weakest link.  That weakest link is often a low powered and poorly protected device, which allows a land and expand pivot style attack, which if successful, can quickly allow attacks on to more powerful computing resources.  The second main factor is associated with the yottabytes (a trillion terabytes !) of data IoT devices related devices are capable of collecting.  That data needs to be protected in transit and also at rest, where transparent access control and sharing protocols need to be applied.  These issues of course, are now opening up new sub-industries, where security assessments, device certifications, software audits and consultancy practices can provide services for.

As with many consumer related interactions, IoT also create an 'elastic security compromise'.  You seemingly can only have 2, out of enjoyable user experience, low risk and low cost.

Indirect Attacks

David Rogers, CEO of Copper Horse Solutions, with his specialism in mobile security, focused on describing how some of the challenges facing the telco operators over the last 10 years, can now be applied to the IoT space. With many newly manufactured cars by 2017 going to contain SIM technology, attack vector, data collecting and data sharing aspects of driving will increase substantially.  David made a subtle observation with respect to how IoT attacks could develop.

Whilst many laugh at the prospect of their digital fridge or washing machine being hacked as a gimmick, the net result of a large scale attack on home automation, isn't necessarily placing the immediate home owner as the victim.  The attacker in this case, could well be targeting the insurance market - which would face a deluge of claims if their washing machine suddenly flooded for example.

Privacy Challenges

Sian John, Security Strategist at Symantec, then focused on the IoT standards and privacy landscape. She argued that IoT is in fact rapidly becoming the 'Internet of Everything', where increased connectivity is being applied to every aspect of everyday life.  Whilst this may delivery better service or convenient experiences, this also opens up new security vulnerabilities and issues with regards to consumer data privacy.  Whilst the IoT ecosystem is clearly focused on physical devices, Sian argued that there is in fact a triad of forces at work: namely people, things and data (albeit I prefer 'people, data and devices...').  Often, the weakest link is the people aspect, who are often concerned with regards to personal data privacy, but don't have the knowledge or understanding with regards to terms of condition, consent questioning or device configuration.

Sian also pointed out that many consumers have a deep distrust of both technology vendors and social network operators when it comes to personal data privacy.

Overall, it seemed the discussions were focused on the need for a strong and varied security ecosystem, that can focus on the entire 'chip to cloud' life cycle of IoT data, where the identity of both the devices and people associated with those devices is strongly managed.

By Simon Moffatt











Rencontrez ForgeRock à SIdO Lyon, les 7 et 8 Avril

Salon Internet des ObjetsJe serai présent avec notre équipe au SIdO, l’événement 100% dédié à l’Internet des Objets qui aura lieu à Lyon les 7 et 8 Avril 2015.

Outre notre présence dans l’espace coworking pendant les 2 jours, Lasse Andresen, CTO de ForgeRock, animera un workshop avec ARM et Schneider sur la place de l’Identité dans l’Internet des Objets, le Mercredi 8 à 13h30.

N’hésitez pas à venir nous rendre visite dans l’espace coworking.


Filed under: General, InFrench Tagged: conference, ForgeRock, france, identity, internet-of-things, iot, Lyon, privacy, security

Gartner Identity Summit London 2015 – Review

This week saw the Gartner Identity and Access Management Summit come to London town.  The event brings together the great and good from the identity community, with a range of vendors, consultancies and identity customers all looking to analyse the current market place and understand the current challenges as well as hot topics that can be applied in 2015 and beyond.

Hitting the Right Notes

The main keynote from the external speaker, was from the highly talented classical musician Miha Pogacnik.  Miha delivered an inspirational 60 minute talk, translating the components of classical music into the realm of business transformation.  He focused on organisational change and all the various different angles of repetition, aggression, questioning and responding that occur and the new challenges it places on organisations, whilst playing a piece of Bach on his violin!  Fantastic.



Consumers Have Identities Too

From a strategic identity perspective, there were several presentations on the developing need for consumer identity management. Many organisations are embracing digital transformation in both the private and public sector, defining use cases and requirements for things like consumer registration, authentication and multi-factor authentication, all done within a highly scalable yet simple identity management framework.

Traditional identity management platforms, products and delivery approaches, are often focused on small scale, repeatable use cases that focus on employees and workflow and don't require the scale or rapid time to delivery that consumer facing projects need.

Gartner's Lori Robinson went through the journey of differences between customer and employee identity management and how features such as consumer registration, map neatly to core provisioning and synchronization use cases, whilst features such as authentication are being extended to include things like adaptive risk, device finger printing and the use of one time passwords to help improve security when high value consumer transactions take place, such as address changes.

The Identity of Things Headache

Another emerging area that not only Gartner, but many consultants and customers were talking about, was that of applying identity patterns to devices and things.  Whilst there has been the initial hype of consumer focused things - such as fitness trackers, fridge monitors and so on - there is a great and developing need for identity and access patterns to the manufacturing space, utilities, SCADA and energy sectors.  Many devices are low powered and have limited cryptographic processing capabilities, but still require registration and linking use cases to be fulfilled as well as having the data their generate to be protected.

The linking, relationship building and data privacy concerns of the newly emerging internet of things landscape, requires heavy doses of identity and access management medicine to make them sustainable.

Newer emerging standards such as OpenID Connect and User Managed Access were the main focus of the coffee chatter and how they can provide federated authorization capabilities to both people and things based infrastructures.


Overall it was a well attended and thought provoking summit, with both traditional and emerging vendors sponsoring and some great event party antics.  It seems the identity management space is going from strength to strength, even after being around for over 15 years.  The new challenges of devices, consumers, cloud and mobile are helping to drive innovation in both the vendor and delivery space.

By Simon Moffatt



Top 5 Security Predictions for 2015

January can't go by without another set of prediction blogs coming our way. Be that for lifestyle, how to lose weight, how to gain weight, how to change our lives and so on.  I thought I would join the band wagon and jot down what I think will be the top 5 challenges facing organisations from a security perspective this year.  If I'm being diligent enough, I may even review it come December (only if I'm right of course...).

Customer Identity Management Will Keep CIO's Awake at Night

Many organisations are going through digital transformation processes.  Be that public sector departments wanting to streamline areas such as taxation, driving license management or health care, through to private sector organisations looking to reduce costs or open new market opportunities.

Digital initiatives are everywhere.  Don't believe me? Check out how many CDO (Chief Digital Officers) now exist on LinkedIn - over 3000 in the UK alone.  These new approaches to product and service delivery, require a strong hold on the identity and access management requirements of customers.  Customer registration, authentication, two-factor authentication and device finger printing, are just a few of the topics hitting the to do list of many CISO's and CIO's - all services that suddenly need rolling out to potentially millions of end users.  Big scale and big headaches will result, if a modular and scalable identity platform isn't available.


Water Cooler Chat Will Be All About Device Security and Internet of Things Madness

By now, everyone has an automated toilet, with a mood influenced flush, that instantly publishes the meta data to Twitter right?  Perhaps not, but there is no doubting, that the Internet of Things landscape is maturing rapidly and the identity of things (shameless blog plug) is going to be a huge area for device manufacturers, services providers and end users.

IoT systems and devices, have all been about communications and interoperability so far.  Adding communications services to low power and low capacity devices brings new opportunities for things like home automation, smart cities, smart cars and more.  However, as these devices collect, store and distribute data to brokers and cloud services, data privacy becomes a huge concern, especially if the data contains production plant statistics or personal health information.  The devices, and the ecosystem that supports the delivery of those devices, will need to be coated in a meta layer of security, from registration and authentication services, through to lightweight encryption and signing technology.


Passwords on the Mobile Will Disappear (Ok not entirely..)

Passwords are dead. Long live the passwords.  I think this topic has been the most written about in blog history.  Ever.  Ok, perhaps not quite ever, but the number of column inches dedicated to the next big thing in password-less authentication / how passwords can't die / how passwords will die is quite remarkable.  One thing for sure, is that the number of users accessing web content and apps via mobile devices (be that phones or tablets) is continuing to rise and outstrip the need for desktops significantly.  What that does of course, is increase the desire for less reliance on password based authentication on mobile tech.  It's simply too inconvenient and too insecure.  As mobile devices build out easier to use secure elements, the storage of crypto materials, session tokens, refresh tokens and other authentication data, will allow for the proliferation of protocols such as OAuth2 or crypto related authentication schemes, to take precedence over the traditional username and password approach.


Employees Will Want Access to More Cloud Services

Many organisations are at a cross roads when it comes to cloud services.  Many want to embrace new, as-a-service based components such as HR, payroll, collaboration and office automation systems.  They are often very simple to register and pay for, simple to set up and allow the organisation to concentrate on their key competency areas.  This does however, bring strong challenges with regards to employee provisioning and single sign on to external services.  Employees do not want to have to remember new and different usernames and passwords to access Google Apps, Salesforce or HR Factors.  Single sign on is mandatory for user convenience, as is the ability to create and remove users in a streamlined and automated fashion, using provisioning systems deeply integrated to HR rules and business logic.  These new requirements can put strain on already buckling legacy provisioning and access management systems, that were often conceived and implemented long before the 'cloud' was cool.


Consumers Will Want More Control and Transparency Over Their Data

This last one is interesting.  I don't think this is suddenly a new requirement or concern for 2015. I think it has always been the case, that consumers are very keen to keep their on line identity secure, their banking details safe and their national insurance or social security number locked up.  However, as more and more devices require and process our personal data, end users are becoming more enlightened with regards to how their data is used and stored.

The Internet of Things takes this to a new level, with many more services, apps and devices wanting to consume, process and potentially redistribute personal data.  End users want to have a clear, simple and transparent method of not only sharing data, but also having the ability to revoke previously granted access to personal data.  We are probably some way off this being a reality, but protocols such as OAuth2 and User Managed Access can go some way to help fulfil these newer requirements.

By Simon Moffatt



IoT World Forum Review: Interop, Data & Security

This week saw the 2 day Internet of Things World Forum conference take place in London. There is clearly a general consensus, that the IoT market is a multi-trillion dollar opportunity, through the implementation of items such as consumer wearables, embedded predictive failure components and data collecting sensors.



The rapid rise in connected devices and IoT ecosystems, is seemingly beingdriven by several key factors, includingfalling cost of both connectivity anddata storage. These lowering barriers to entry, coupled with more developer friendly ecosystems and open platforms, is helping to fulfil new revenue generating business opportunities in multiple verticals including manufacturing and healthcare.

Matt Hatton from Machina Research started off discussing the progression from local standalone projects (Intranets of Things), through to more internal or enterprise focused deployments (Subnets of Things).  David Keene from Google, extended this further, to say the progression will reach the concept of Web of Things, where accessibility and 'findability' will be key to managing and accessing data.

It was clear that data aggregation and analytics will be a major component in any successful IoT infrastructure, whether that is focusing on consumer enhancements, such as the Jaguar connected car project as described by Leon Hurst, through to smart health care, either in the form of Fitbits, or more advanced medical instrumentation.

API's and machine processing were certainly referenced more than once.  The new more connected web, will provide interaction touch points that only machines can understand, coupled with better data aggregation, distributed data storage and centralised querying. API's of course need protection too, either via gateways or via token management integration for standards such as OAuth2.

One aspect that was conspicuous in it's absence, was that of data privacy, and identity and access management.  The IoT landscape is creating vast amounts of data at stream like speeds.  The concept of little data (small devices in isolation) to big data (aggregated in cloud services) requires strong levels of authentication and authorization, at both the device, service and end user level.  The ability to share and transparently know where data is being accessed will be a key concern in the consumer and health care spaces.

Dave Wagstaff from BSquare, brought up the interesting concept, that many organisations are now subtly moving away from a product based business model, to a software and services based approach. With the the increased capability of devices, organisations now can perform much more in the way of remote monitoring, predictive failure and so on, where the end user really is just paying an insurance or subscription for their physical thing.

Bernd Heinrichs from Cisco followed a similar pattern, where he described the German view of Industry v4.0 (or 4.1...) where innovative production concepts are helping to reduce energy, increase uptime and generate better component output.

From a new market opportunity perspective, Francois Menuier from Morgan Stanley, observed that 6% of all consumers now own a wearable, with 59% of them using that wearable daily. In addition many wearable owners, argued that this was an additional purchase and not one to replace existing technology, solidifying the view that new market initiatives are available in the IoT world. However many consumer wearables generate huge amounts of deeply personal data that needs to be protected and shared securely.

Jon Carter from Deutsch Telekom went through the 7 steps for a successful IoT implementation, which ended with the two main points of applying a minimum viable product concept to design and also leverage secure and open platform.

Dr Shane Rooney from the GSMA focused his thoughts on security within the mobile network operator network, including the concept of device to device and device to service authentication, as well the the need for greater focus on data privacy.

Overall an interesting couple of days. Whilst most manufacturers and platforms are focused on interoperability and data management, identity and access management has a strong and critical role in allowing 3rd party data sharing and interactions to take place. It will be interesting to see if the 2015 and 2016 start to introduce these concepts by default.