2019 Digital Identity Progress Report

Schools out for summer?  Well not quite.  Unless you're living in the east coast of Australia, it's looking decidedly bleak weather wise for most of Europe and the American east coast.  But I digress.  Is it looking bleak for your digital identity driven projects?  What's been a success, where are we heading and what should we look out for?

Where We Are Today

Passwordless - (Reports says B-)

Over the last 24 months, there have been some pretty big themes that many organisations embarking on digital identity and security related projects, have been trying to succeed at.  First up, the age old chestnut...of passwordless authentication.  The password is dead, long live the password!  We are definitely making progress though.  Many of the top public sites (Facebook, LinkedIn, Twitter et al) provide multi-factor authentication options at least.  Passwords are still required as the first step, but the end user education and familiarity with something other than a password during login, must surely be the first steps to getting ridding of them entirely.  2018 also saw the rise of WebAuthn - the W3C standards based approach for crypto based challenge response authentication.  Could this hopefully accelerate adoption to a password-free world?

API Protection - (Report says C+)

API's will eat the world?  Well, digital disruption needs speed, agility and mashups.  API's help organisations achieve those basic aims, but where are we, with respect to the protection of those API's?  API management platforms are now common in most enterprise architectures.  They help to perform API provisioning, versioning and life cycle management, but what about security?  Many use cases fall into the API security band wagon such as service to service authentication, least privilege authorization, token exchange and contextual throttling.  Most API services are now sitting comfortably behind basic authentication, but fine grained controls and basic use cases such as token revocation and rotation are still in their infancy.  Report says "we must do better".

Microservices Protection - (Report says B-)

Not all API's are microservices, but many net new additions to projects will leverage this approach.  But microservices infrastructures, bring many new security challenges as well as benefits.  Service versioning, same service load balancing, high through puts and fine grained access controls have created some new emerging security patterns.  Both the side car and inflight/proxy approach for traffic introspection and security enforcement have appeared.  Microservices by their design, normally means very high transactions per second, as well as fine grained access control - with each service performing only a single task.  Stateless OAuth2 seems to fit the bill for many projects, but the consistency around high scale token introspection and scope design seems immature.

IoT Security - (Reports says C-)

Many digital disruption projects are embracing smart device (HTTP-able) infrastructures.  Pairing those devices to real people seems a winner for many industries, from retail, insurance to finance.  But and there's always a but, the main interest for many organisations is not the device, but the data the device is either collecting or generating.  Device protection is often lacking - default credentials, hard coded keys, un-upgradable firmware, inability to use HTTPS and the inability to store access tokens are all very common.  There are costs and usability issues with increased device security and no emerging patterns are consistent.  Several regulations and security best practice documents now exist, but adoption is still low.

User Consent Management - (Report says B-)

GDPR has probably had the biggest impact, from an awareness perspective, than any other piece of regulation relating to consent.  The consumer, from a pure economic buyer perspective at least, has never been so powerful.  One click away from a competitor.  From a data perspective however, it seems the capitalist corporate machine is holding all the cards.  Marketing analytics, usage tracking, location tracking, you name it, the service provider wants that data to either improve your service, or improve their ability to market new services.  Many organisations are not stupid.  They realise that by offering basic consent management functionality (contact preferences, ability to be removed, data exportation, activity viewing) they are not only ticking the compliance check box, but can actually create a competitive advantage by giving their user community the image of being at trusted partner to do business with.  But will the end user be ever truly in control of their data?

What's Coming

The above 4 topics are not going away any time soon.  Knowledge, standards maturity and technology advances, should all allow each of those areas to bounce a grade within the next 18-24 months.  But what other concerns are on the horizon?  

Well skills immediately spring out.  Cyber security in general is known to have a basic skills shortage.  Digital Identity seems to fall in to that general trend and some of these topics are niches within a niche.  Getting the right skill set to design micro services security or consent management systems will not be trivial.

What about new threats - they are emerging every day.  Bot protection - at both registration and login time - not only helps improve the security posture of an organisation, but also helps improve user analytics, remove opportunities for false advertising and provide a clearer picture to a service's real organic user community.  How will things like ML/AI help here - and does that provide another skills challenge or management black hole?

The final topic to mention is that of usability.  Security can be simple in many respects, but usability can make or break a service.  As underlying ecosystems become more complex, with a huge supply chain of API's, cross-boundary federations and devices, how can the end user be both protected, yet offered a seamless registration and login experience? Dedicated user experience teams exist today, but their skill set will need to be sharpened and focused on the security aspect of any new service. 


2019 Digital Identity Progress Report

Schools out for summer?  Well not quite.  Unless you're living in the east coast of Australia, it's looking decidedly bleak weather wise for most of Europe and the American east coast.  But I digress.  Is it looking bleak for your digital identity driven projects?  What's been a success, where are we heading and what should we look out for?

Where We Are Today

Passwordless - (Reports says B-)

Over the last 24 months, there have been some pretty big themes that many organisations embarking on digital identity and security related projects, have been trying to succeed at.  First up, the age old chestnut...of passwordless authentication.  The password is dead, long live the password!  We are definitely making progress though.  Many of the top public sites (Facebook, LinkedIn, Twitter et al) provide multi-factor authentication options at least.  Passwords are still required as the first step, but the end user education and familiarity with something other than a password during login, must surely be the first steps to getting ridding of them entirely.  2018 also saw the rise of WebAuthn - the W3C standards based approach for crypto based challenge response authentication.  Could this hopefully accelerate adoption to a password-free world?

API Protection - (Report says C+)

API's will eat the world?  Well, digital disruption needs speed, agility and mashups.  API's help organisations achieve those basic aims, but where are we, with respect to the protection of those API's?  API management platforms are now common in most enterprise architectures.  They help to perform API provisioning, versioning and life cycle management, but what about security?  Many use cases fall into the API security band wagon such as service to service authentication, least privilege authorization, token exchange and contextual throttling.  Most API services are now sitting comfortably behind basic authentication, but fine grained controls and basic use cases such as token revocation and rotation are still in their infancy.  Report says "we must do better".

Microservices Protection - (Report says B-)

Not all API's are microservices, but many net new additions to projects will leverage this approach.  But microservices infrastructures, bring many new security challenges as well as benefits.  Service versioning, same service load balancing, high through puts and fine grained access controls have created some new emerging security patterns.  Both the side car and inflight/proxy approach for traffic introspection and security enforcement have appeared.  Microservices by their design, normally means very high transactions per second, as well as fine grained access control - with each service performing only a single task.  Stateless OAuth2 seems to fit the bill for many projects, but the consistency around high scale token introspection and scope design seems immature.

IoT Security - (Reports says C-)

Many digital disruption projects are embracing smart device (HTTP-able) infrastructures.  Pairing those devices to real people seems a winner for many industries, from retail, insurance to finance.  But and there's always a but, the main interest for many organisations is not the device, but the data the device is either collecting or generating.  Device protection is often lacking - default credentials, hard coded keys, un-upgradable firmware, inability to use HTTPS and the inability to store access tokens are all very common.  There are costs and usability issues with increased device security and no emerging patterns are consistent.  Several regulations and security best practice documents now exist, but adoption is still low.

User Consent Management - (Report says B-)

GDPR has probably had the biggest impact, from an awareness perspective, than any other piece of regulation relating to consent.  The consumer, from a pure economic buyer perspective at least, has never been so powerful.  One click away from a competitor.  From a data perspective however, it seems the capitalist corporate machine is holding all the cards.  Marketing analytics, usage tracking, location tracking, you name it, the service provider wants that data to either improve your service, or improve their ability to market new services.  Many organisations are not stupid.  They realise that by offering basic consent management functionality (contact preferences, ability to be removed, data exportation, activity viewing) they are not only ticking the compliance check box, but can actually create a competitive advantage by giving their user community the image of being at trusted partner to do business with.  But will the end user be ever truly in control of their data?

What's Coming

The above 4 topics are not going away any time soon.  Knowledge, standards maturity and technology advances, should all allow each of those areas to bounce a grade within the next 18-24 months.  But what other concerns are on the horizon?  

Well skills immediately spring out.  Cyber security in general is known to have a basic skills shortage.  Digital Identity seems to fall in to that general trend and some of these topics are niches within a niche.  Getting the right skill set to design micro services security or consent management systems will not be trivial.

What about new threats - they are emerging every day.  Bot protection - at both registration and login time - not only helps improve the security posture of an organisation, but also helps improve user analytics, remove opportunities for false advertising and provide a clearer picture to a service's real organic user community.  How will things like ML/AI help here - and does that provide another skills challenge or management black hole?

The final topic to mention is that of usability.  Security can be simple in many respects, but usability can make or break a service.  As underlying ecosystems become more complex, with a huge supply chain of API's, cross-boundary federations and devices, how can the end user be both protected, yet offered a seamless registration and login experience? Dedicated user experience teams exist today, but their skill set will need to be sharpened and focused on the security aspect of any new service. 


Renewable Security: Steps to Save The Cyber Security Planet

Actually, this has nothing to-do with being green.  Although, that is a passion of mine.  This is more to-do with a paradigm that is becoming more popular in security architectures: that of being able to re-spin particular services to a known “safe” state after breach, or even as a preventative measure before a breach or vulnerability has been exploited.

Triple R's of Security


This falls into what is known as the “3 R’s of Security”.  A quick Google on that topic will result in a fair few decent explanations of what that can mean.  The TL;DR is basically, rotate (credentials), repair (vulnerabilities) and repave (services and servers to a known good state).  This approach is gaining popularity mainly due devops deployment models.  Or “secdevops”.  Or is it “devsecops”?  Containerization and highly automated “code to prod” pipelines make it a lot easier to get stuff into production, iterate and go again.  So how does security play into this?

Left-Shifting 


Well I want to back track a little, and tackle the age old issue of why security is generally applied as a post live issue.  Security practitioners, often evangelise on the “left shifting” of security.  Getting security higher up the production line, earlier in the software design life cycle and less as an audit/afterthought/pen testing exercise.  Why isn’t this really happening?  Well anecdotally, just look at the audit, pen testing and testing contractor rates.  They’re high and growing.  Sure, lots of dev teams and organisations are incorporating security architecture practices earlier in the dev cycle, but many find this too slow, expensive or inhibitive.  Many simply ship insecure software and assume external auditors will find the issues.

This I would say has resulted in variations of R3.  Dev as normal and simply flatten and rebuild in production in order to either prevent vulnerabilities being exploited, or recover from them faster.  Is this the approach many organisations are applying to newer architectures such as micro-services, server-less and IoT?

IoT, Microservices and Server-less


There are not many mature design patterns or vendors for things like micro-services security or even IoT security.  Yes, there are some interesting ideas, but the likes of Forrester, Gartner and other industry analysts, don’t to my knowledge, describe security for these areas as a known market size, or a level of repeatable maturity.  So what are the options?  These architectures ship with out security? Well, being a security guy, I would hope not.  So, what is the next best approach?  Maybe the triple R model is the next best thing.  Assume you’re going to breached – which CISO’s should be doing anyway – and focus on a remediation plan.

The triple R approach does assume a few things though.  The main one, is that you have a known-safe place.  Whether that is focused on images, virtual machines or new credentials, there needs to be a position which you can rollback or forward to, that is believed to be more secure than the version before.  That safe place, also needs to evolve.  There is no point in that safe place being unable to deliver the services needed to keep end users happy.

Options, Options, Options...


The main benefit of the triple R approach, is you have options – either as a response to a breach or vulnerability exposure, or as a preventative shortcut. It can bring other more pragmatic issues however.  If we’re referring to things like IoT security – how can devices, in the field and potentially aware from Internet connectivity – be hooked, rebuilt and re-keyed?  Can this be done in a hot-swappable model too, without interruptions to service?  If you need to rebuild a smart meter, you can’t possibly interrupt electricity supply to the property whilst that completes.

So the R3 model is certainly a powerful tool in the security architecture kit bag.  Is is suitable for all scenarios?  Probably not.  Is it a good “get out of jail” card in environments with highly optimized devops-esque process?  Absolutely.

Renewable Security: Steps to Save The Cyber Security Planet

Actually, this has nothing to-do with being green.  Although, that is a passion of mine.  This is more to-do with a paradigm that is becoming more popular in security architectures: that of being able to re-spin particular services to a known “safe” state after breach, or even as a preventative measure before a breach or vulnerability has been exploited.

Triple R's of Security


This falls into what is known as the “3 R’s of Security”.  A quick Google on that topic will result in a fair few decent explanations of what that can mean.  The TL;DR is basically, rotate (credentials), repair (vulnerabilities) and repave (services and servers to a known good state).  This approach is gaining popularity mainly due devops deployment models.  Or “secdevops”.  Or is it “devsecops”?  Containerization and highly automated “code to prod” pipelines make it a lot easier to get stuff into production, iterate and go again.  So how does security play into this?

Left-Shifting 


Well I want to back track a little, and tackle the age old issue of why security is generally applied as a post live issue.  Security practitioners, often evangelise on the “left shifting” of security.  Getting security higher up the production line, earlier in the software design life cycle and less as an audit/afterthought/pen testing exercise.  Why isn’t this really happening?  Well anecdotally, just look at the audit, pen testing and testing contractor rates.  They’re high and growing.  Sure, lots of dev teams and organisations are incorporating security architecture practices earlier in the dev cycle, but many find this too slow, expensive or inhibitive.  Many simply ship insecure software and assume external auditors will find the issues.

This I would say has resulted in variations of R3.  Dev as normal and simply flatten and rebuild in production in order to either prevent vulnerabilities being exploited, or recover from them faster.  Is this the approach many organisations are applying to newer architectures such as micro-services, server-less and IoT?

IoT, Microservices and Server-less


There are not many mature design patterns or vendors for things like micro-services security or even IoT security.  Yes, there are some interesting ideas, but the likes of Forrester, Gartner and other industry analysts, don’t to my knowledge, describe security for these areas as a known market size, or a level of repeatable maturity.  So what are the options?  These architectures ship with out security? Well, being a security guy, I would hope not.  So, what is the next best approach?  Maybe the triple R model is the next best thing.  Assume you’re going to breached – which CISO’s should be doing anyway – and focus on a remediation plan.

The triple R approach does assume a few things though.  The main one, is that you have a known-safe place.  Whether that is focused on images, virtual machines or new credentials, there needs to be a position which you can rollback or forward to, that is believed to be more secure than the version before.  That safe place, also needs to evolve.  There is no point in that safe place being unable to deliver the services needed to keep end users happy.

Options, Options, Options...


The main benefit of the triple R approach, is you have options – either as a response to a breach or vulnerability exposure, or as a preventative shortcut. It can bring other more pragmatic issues however.  If we’re referring to things like IoT security – how can devices, in the field and potentially aware from Internet connectivity – be hooked, rebuilt and re-keyed?  Can this be done in a hot-swappable model too, without interruptions to service?  If you need to rebuild a smart meter, you can’t possibly interrupt electricity supply to the property whilst that completes.

So the R3 model is certainly a powerful tool in the security architecture kit bag.  Is is suitable for all scenarios?  Probably not.  Is it a good “get out of jail” card in environments with highly optimized devops-esque process?  Absolutely.

Identi-Tea Podcast, Episode 5: The Answer is Blowing in the (IoT) Wind

In episode 5, Daniel and Chris are live at IoT World / Connected & Autonomous Vehicles 2017 in Santa Clara, CA. Topics include how identity can play a key role in customizing the user experience for connected cars, how to creatively use access policies and contextual data to solve IoT challenges, and how securing devices on the edge requires a different way of thinking. Oh, and it was very windy.

Episode Links:

ForgeRock Identity Live 2017

Video: Objects in Mirror May Be Closer Than They Appear (Donut Demo)

ForgeRock Edge Security Early Access Program

 

Identity Disorder Podcast, Episode 4: The Rodeo of Things

identity-disorder-speakers-ep004

In episode 4, Daniel and Chris are pleased to welcome one of ForgeRock’s founders, Victor Ake. Victor gives his insight into the Identity of Things, talking the differences between constrained and unconstrained devices, how IoT brokers work, securing IoT devices using identity standards, and how microservices fit in to the picture. Other topics include airport hotels, wrestling, and–wait for it–the rodeo.

Episode Links:

ForgeRock IoT Page:
https://www.forgerock.com/solutions/devices-things/

ForgeRock Identity Summit in London and Paris
https://summits.forgerock.com/

All upcoming ForgeRock events:
https://www.forgerock.com/about-us/events/

Blockchain for Identity: Access Request Management

This is the first in a series of blogs, that will start to look at some use cases for leveraging block chain technology in the world of identity and access management.  I don’t proclaim to be a BC expert and there are several blogs better equipped to tackle that subject, but a good introductory text is the O’Reilly published “Blockchain: Blueprint for a New Economy”.

I want to first look at access request management.  An age old issue that has developed substaintially in the last 30 years, to several sub-industries within the IAM world, with specialist vendors, standards and methodologies.

In the Old Days

 

Embedded/Local Assertion Managment
 
So this is a typical “standalone” model of access management.  An application manages both users and access control list information within it’s own boundary.  Each application needs a separate login and access control database. The subject is typically a person and the object an application with functions and processes.
Specialism & Economies of Scale
 
So whilst the first example is the starting point – and still exists in certain environments – specialism quickly occured, with separate processes for identity assertion management and access control list management.
Externalised Identity & ACL Management
So this could be a typical enterprise web access management paradigm.  An identity provider generates a token or assertion, with a policy enforcement process acting as a gatekeeper down into the protected objects.  This works perfectly well for single domain scenarios, where identity and resource data can be easily controlled.  Scaling too is not really a major issue here, as traditionally, this approach would be within the same LAN for example.
So far so good.  But today, we are starting to see a much more federated and broken landscape. Organisations have complex supply chains, with partners, sub-companies and external users all requiring access into once previously internal-only objects.  Employees too, want to access resources in other domains and as-a-service providers.
Federated Identities

This then creates a much more federated landscape.  Protocols such as SAML2 and OAuth2/OIDC allow identity data from trusted 3rd parties, but not originating from the objects domain, to interact with those resource securely.

Again, from a scaling perspective this tends to work quite well.  The main external interactions tend to be at the identity layer, with access control information still sitting within the object’s domain – albeit externalised from the resource itself.

The Mesh and Super-Federation

As the Internet of Things becomes normality, the increased volume of both subjects and objects creates numerous challenges.  Firstly the definition of both changes.  A subject will become not just a person, but also a thing and potentially another service.  An object will become not just an application, but an autonomous piece of data, an API or even another subject.  This then creates a multi-point set of interactions, with subjects accessing other subjects, API’s accessing API’s, things accessing API’s and so on.

Enter the Blockchain

So where does the block chain fit into all this?  Well, the main characteristics that can be valueable in this sort of landscape, would be the decentralised, append-only, globally accessible nature of a blockchain.  The blockchain technology could be used as an access request warehouse.  This warehouse could contain the output from the access request workflow process such as this sample of psuedo code:

{“sub”:”1234-org2″, “obj”:”file.dat”, “access”:”granted”, “iss”:”tomorrow”, “exp”:”tomorrow+1″, “issuingAuth”:”org1″, “added”:”now”}

This is basic, but would be hashed and cryptographically made secure from a trusted access request manager.  That manager would have the necessary circle of trust relationships with the necessary identity and access control managers.

After each access request, an entry would be made to the chain.  Each object would then be able to make a query against the chain, to identify all corresponding entries that map to their object set, unionise all entries and work out the necessary access control result.  For example, this would contain all access granted and access denied results.

 

A Blockchained Enabled Access Requestment Mgmt Workflow
 
So What?
 
So we now have another system and process to manage?  Well possibly, but this could provide a much more scaleable and interoperable model with request to all the necessary access control decisions that would need to take place to allow an IoT and API enabled world.
Each object could have access to any BC enabled node – so there would be massive fault tolerance and elastic scaling.  Each subject would simply present a self-contained assertion.  Today that could be a JWT or a token within a proof-of-possession framework.  They could collect that from any generator they choose.  Things like authentication and identity validation would not be altered.
Access request workflow management would be abstracted – the same asychronous processes, approvals and trusted interactions would take place.  The blockchain would simply be an externalised, distribued, secure storage mechanism.
From a technology perspective I don’t believe this framework exists, and I will be investigating a proof of concept in this area.

This blog post was first published @ http://www.theidentitycookbook.com/, included here with permission from the author.

Top 5 Security Predictions for 2016

It's that time of year again, when the retrospective and predictive blogs come out of the closet, just before the Christmas festivities begin.  This time last year, the 2015 predictions were an interesting selection of both consumer and enterprise challenges, with a focus on:


  • Customer Identity Management
  • The start of IoT security awareness
  • Reduced Passwords on Mobile
  • Consumer Privacy
  • Cloud Single Sign On

In retrospect, a pretty accurate and ongoing list.  Consumer related identity (cIAM) is hot on most organisation's lips, and whilst the password hasn't died (and probably never will) there are more people using things like swipe login and finger print authentication than ever before.

But what will 2016 bring?


Mobile Payments to be Default for Consumers

2015 has seen the rise in things like Apple Pay and Samsung Pay hitting the consumer high street with venom.  Many retail outlets now provide the ability to "tap and pay" using a mobile device, with many banks also offering basic contactless payments on debit cards.  The limit for such contactless payments, was recently upped to £30 in September, making the obvious choice for busy interactions such as supermarkets and coffee shops.  This increased emphasis on the mobile representing an identity, will put pressure on mobile's ability for secure credential storage and the potential for fraud and payment data theft.


Internet of Things Data Sharing to be Tackled

IoT is everywhere.  The "web of things", the "internet of everything", each week a new term is coined.  The simple fact is that millions more devices are coming on line, and are generating, collecting and aggregating data from a range of sources - both personal and machine related.  That data needs to be effectively shared using a transparent consent model.  Individuals are more accurately aware than ever before, that their data can be used in a myriad of different ways - some for service improvement but some maliciously.  3rd party data sharing is inevitable, if the true benefits of the IoT world are to be realised - but that data sharing requires real consent and revocation capabilities using standards such as User Managed Access and others.


EU General Data Protection Regulation Brings New Organisational Challenges

The recent change in the EU GDPR, will bring challenges for many organisations looking to leverage the power of digital transformation or harness the power of cloud.  The new EU changes, provide a clear message, regarding the use and management of user data, with powerful fines now acting as a large incentive for compliance and process redesign.  Many end users and consumers are becoming fully aware of how powerful their data can become, when combined with things like tracking, marketing or analytics and full and proper control over that data should be made available.


An Increase in Device Pairing & Sharing

The increase in house hold and consumer devices with "smart" capabilities is leading to a more "pin and pair" ecosystems for things like smart TVs, connected cars, home heating systems, fridges and more.  The ability for a device to be linked to a physical identity, brings a brand new set of use cases for identity impersonation, data sharing and personalisation.  The ability for a TV to be linked to a physical person and not just a household for example, brings interesting use cases for personalised content delivery.  The pairing of devices will probably leverage existing authorization standards such as OAuth2, where quick and simple revocation will help to increase confidence in how physical identities can be linked and revoked from devices.


Every Company Will Have a Blockchain R&D Team

The Bitcoin revolution seems to have hit the top of the "peak of inflated expectations", with the effective delivery still some 5 to 10 years away.  However, the capabilities of the blockchain architecture are starting to visit new non-currency related use cases, such as intellectual property protection, art copyrighting, access request cataloguing and more.  The interest in the distributed and hashed nature of the blockchain, make new transparent data sharing and decision point architectures a potential weapon in the security architect's arsenal.  Whilst many of the capabilities and features may need implementing, many organisations will be looking on with keen eyes, to see if this ecosystem can start to deliver on it's early promise.


Will be interesting to see what 2016 brings.  One thing is for sure, that information security has never been such a concern for many organisations in both the private and public sector.

Happy holidays and see you in 2016!

By Simon Moffatt





Top 5 Security Predictions for 2016

It's that time of year again, when the retrospective and predictive blogs come out of the closet, just before the Christmas festivities begin.  This time last year, the 2015 predictions were an interesting selection of both consumer and enterprise challenges, with a focus on:


  • Customer Identity Management
  • The start of IoT security awareness
  • Reduced Passwords on Mobile
  • Consumer Privacy
  • Cloud Single Sign On

In retrospect, a pretty accurate and ongoing list.  Consumer related identity (cIAM) is hot on most organisation's lips, and whilst the password hasn't died (and probably never will) there are more people using things like swipe login and finger print authentication than ever before.

But what will 2016 bring?


Mobile Payments to be Default for Consumers

2015 has seen the rise in things like Apple Pay and Samsung Pay hitting the consumer high street with venom.  Many retail outlets now provide the ability to "tap and pay" using a mobile device, with many banks also offering basic contactless payments on debit cards.  The limit for such contactless payments, was recently upped to £30 in September, making the obvious choice for busy interactions such as supermarkets and coffee shops.  This increased emphasis on the mobile representing an identity, will put pressure on mobile's ability for secure credential storage and the potential for fraud and payment data theft.


Internet of Things Data Sharing to be Tackled

IoT is everywhere.  The "web of things", the "internet of everything", each week a new term is coined.  The simple fact is that millions more devices are coming on line, and are generating, collecting and aggregating data from a range of sources - both personal and machine related.  That data needs to be effectively shared using a transparent consent model.  Individuals are more accurately aware than ever before, that their data can be used in a myriad of different ways - some for service improvement but some maliciously.  3rd party data sharing is inevitable, if the true benefits of the IoT world are to be realised - but that data sharing requires real consent and revocation capabilities using standards such as User Managed Access and others.


EU General Data Protection Regulation Brings New Organisational Challenges

The recent change in the EU GDPR, will bring challenges for many organisations looking to leverage the power of digital transformation or harness the power of cloud.  The new EU changes, provide a clear message, regarding the use and management of user data, with powerful fines now acting as a large incentive for compliance and process redesign.  Many end users and consumers are becoming fully aware of how powerful their data can become, when combined with things like tracking, marketing or analytics and full and proper control over that data should be made available.


An Increase in Device Pairing & Sharing

The increase in house hold and consumer devices with "smart" capabilities is leading to a more "pin and pair" ecosystems for things like smart TVs, connected cars, home heating systems, fridges and more.  The ability for a device to be linked to a physical identity, brings a brand new set of use cases for identity impersonation, data sharing and personalisation.  The ability for a TV to be linked to a physical person and not just a household for example, brings interesting use cases for personalised content delivery.  The pairing of devices will probably leverage existing authorization standards such as OAuth2, where quick and simple revocation will help to increase confidence in how physical identities can be linked and revoked from devices.


Every Company Will Have a Blockchain R&D Team

The Bitcoin revolution seems to have hit the top of the "peak of inflated expectations", with the effective delivery still some 5 to 10 years away.  However, the capabilities of the blockchain architecture are starting to visit new non-currency related use cases, such as intellectual property protection, art copyrighting, access request cataloguing and more.  The interest in the distributed and hashed nature of the blockchain, make new transparent data sharing and decision point architectures a potential weapon in the security architect's arsenal.  Whilst many of the capabilities and features may need implementing, many organisations will be looking on with keen eyes, to see if this ecosystem can start to deliver on it's early promise.


Will be interesting to see what 2016 brings.  One thing is for sure, that information security has never been such a concern for many organisations in both the private and public sector.

Happy holidays and see you in 2016!

By Simon Moffatt





Identity Summit London 2015

Mike Ellis, ForgeRock CEO at London Identity SummitLast week, ForgeRockhosted the London edition of the Identity Summit 2015. It was a great event, very successful with over 200 attendees to discuss identity, digital transformation and IoT.ForgeRock Identity Summit London Attendees

My coworker Markus has published a detailed recap of the Summit, so I leave you with my usual picture gallery. Enjoy !

Screen Shot 2015-10-14 at 18.26.19There will be two other Identity Summits in November this year. One in Amsterdam on November 5, one in Düsseldorf on November 12. If you haven’t registered yet, it’s still time !


Filed under: Identity Tagged: conference, digitalTransformation, europe, ForgeRock, identity, Identity Relationship Management, iot, London