Why are security phrases a bad idea?

Posted May 19, 2010 by ggebel
Categories: KBA

The title of this post was the security pass phrase question I chose when registering for online access to a financial services firm. I called aforementioned financial services firm today and when prompted for the answer by the customer service representative, I responded “because you can’t remember the questions or answers.” Unfortunately, that was not the correct response to this knowledge based authentication (KBA) question. However, this experience is another example of why static KBA systems are a bad idea – usability. I registered for access so long ago that I can’t remember the response (I usually include them in my password safe, but did not in this instance). Being an identity-privacy zealot, I did not enter one of the usual KBA questions like, what was the first car you owned or where did I go to high school.

Why are static KBA systems still in use? They are a very weak link in the security chain, but used by so many web sites including, supposedly, security conscious banking sites. In the age of Google and Facebook, the list of good KBA questions is effectively zero. I will be happy when my account is closed with this financial institution!

Comments: 2 Comments

Small Vendor “Risk”

Posted May 6, 2010 by ggebel
Categories: IdM Market

What is the real risk of choosing a small, innovative vendor for your critical IT projects? On the one hand, you can purchase a product built by a vendor that specializes in a specific functional area, is passionate about customer success, and adjusts priorities to meet your particular business requirements. On the other hand, you can choose to purchase an average product, built by a vendor that has a product list bigger than the national debt, is passionate about their profitability, and pressures customers to buy into a grand vision.

What choice do you make? Which option will ensure the success of your business objectives?

Comments: 1 Comment

Stand Up For Standards

Posted May 6, 2010 by ggebel
Categories: Standards

Andre Durand’s keynote yesterday at the EIC conference contained many quotable quotes, but the one that stood out for me was, “Enterprises must stand up for standards.” Andre said this while describing the role pure play vendors have in the greater IT community – keeping the large vendors honest regarding their commitment to standards.

IdM standards offer the promises of interoperability, independence from vendor lock-in, and future-resilient systems. Does your vendor have the same perspective?

Enterprises can let vendors off the hook if they don’t inquire, specifically, as to how a product implements a particular standard. Do you ask, in advance, detailed questions about how completely a standard is supported? Does your vendor avoid directly answering these questions, or are they forthcoming?

During product evaluations, there are times when purchasers can compromise on any number of issues. Let’s face it; there are no perfect products available. And, no vendor has anticipated every use case. Deadlines are looming, we have to make a decision.

Ultimately, enterprises hold the power and influence in their budgets. Are vendors serious about their commitment to identity management standards? The answer can be found in your purchase order.

Comments: Be the first to comment

Some Business Stakeholders Might Want Your IT Project to Fail

Posted May 6, 2010 by ggebel
Categories: IdM Projects

What?! That was my response when hearing Dr. Rainer Janssen, CIO of Munich Re deliver his keynote presentation at the EIC conference this week. Dr. Janssen offered many perspectives that I had not heard or thought of before. Many an article has been written and presentation offered that discusses “alignment” of business and IT. Most of these supposed tenets were turned upside down or inside out during a very interesting presentation.

Some business stakeholders might want your IT project to fail? Really? I thought we invited stakeholders to IT projects to make them succeed. The lesson here is; make sure you know the motivations of stakeholders that you invite to the project. The worst case is not knowing they might be pulling against you – until it’s too late.

Comments: Be the first to comment

Authorization Performance Myth Busting

Posted April 30, 2010 by ggebel
Categories: Performance, XACML

It’s a common misconception that XACML authorization systems perform poorly by default because they are XML-based. While it is true that XML systems can be slow, XACML product vendors have many techniques at their disposal to address performance concerns. Keep in mind, however, that every application and every deployment has its own performance considerations and will require individual analysis. Therefore, this post lists the main bottleneck points for performance and discusses some alternatives for each.

Policy Retrieval: When resources are accessed, the authorization system must find the right policy to evaluate. If the PDP is going to the database or file system to retrieve policies during runtime, you can degrade response time considerably. An alternate approach is to load all policies into memory at PDP startup. XACML policies are not excessively large, so memory usage is not an issue.

Policy Matching: Policy modeling and structure directly impact how quickly a PDP can find the right policy to evaluate. Application access patterns must be studied to determine the most efficient policy structure for rapid matching and evaluation.

Attribute Retrieval: Attributes are the lifeblood of an XACML system and their inefficient retrieval can contribute to poor application performance. Attributes can be incorporated into the authorization process from many entry points: 1) the PEP can gather attributes from the user session or service request, 2) the PEP can retrieve additional attributes from enterprise systems and repositories before making the access request, 3) the PDP can retrieve yet more attributes from similar sources before evaluating a rule, 4) you can have all of the above in a given scenario.

If multiple attributes are sourced from the same repository, they can be retrieved with one call, instead of making a call for each attribute. Caching can also be useful to retain in storage attributes that are frequently used by the PDP. Attribute retrieval can also be triggered during policy matching, allowing the PIP interface to “look ahead” for attributes once the PDP knows which policy will be matched. Finally, if an attribute repository is known to be costly to fetch, it should only be utilized in policies that are infrequently called.

Decision Caching: In certain cases, the PEP can cache access decisions so that the PDP does not have to be invoked for each access request. This technique is useful where similar requests would result in the same outcome due to the structure of policies or due to the nature of the request.

Multiple Requests: It is quite common that multiple decisions must be processed for a particular request, such as when a user is requesting access to a list of resources. Such requests will be more efficient if they are processed as a “multiple request” instead of a series of individual requests because there is less transport overhead and the PDP can optimize the request knowing it is for the same subject (user).

This reminds me that I recently heard a comment at an industry event where a vendor stated, “If you are rendering a web page with 50 authorizations in it, it is not possible if you do a SOAP call for each authorization.” Well, of course that is a correct statement but not exactly helpful to prospective customers that are considering deploying XACML authorization. This is precisely a case where multiple requests should be utilized and where more suitable enforcement points should be considered to avoid the SOAP overhead.

PDP – PEP Interaction: It is possible to implement a closely coupled PDP-PEP in order to reduce transport overhead. In addition, authorization systems should be able to support several types of transport mechanisms, such as web service, RMI, in process, or others. In extremely performance-sensitive cases, the PDP and PEP should be able to communicate via in-process calls for ultimate response times.

PDP Features: In general, the PDP is stateless, making it very easy to create several concurrent instances. These instances may run on separate threads (and thus leverage multi-core architectures) and/or on separate hosts to increase the capacity of the authorization system.

What have you done to address performance concerns??

Photo credit: http://bit.ly/aXnTlb

Comments: 4 Comments

Myth Busting, XACML Style

Posted April 6, 2010 by ggebel
Categories: XACML

MythBusters is a popular TV series that attempts to prove or disprove popular beliefs, rumors, or “myths.” Their topics have ranged from whether cell phones interfere with a plane’s instruments (they don’t) to whether a fingerprint reader could be spoofed (it was). In the realm of XACML, there are also what we would consider myths or at least mis-conceptions.

Over the next several weeks, I will address the following candidate myths and share some of Axiomatics’ perspectives. If you have others that should be added to the list, please let me know.

  • XACML will cause performance problems for my application
  • The XACML policy language does not cover my complex application scenarios
  • XACML authorization systems are not “stateful”
  • Administrators do not understand XACML
  • Another standard? Can’t we do this with SAML (addressed this one previously)
  • XACML is an immature standard
  • XACML does not define the communication protocol between PDP and PEP
  • XACML is only good for SOA deployments

Thanks to David, Erik, and Ludwig for their input

Comments: 1 Comment

If the shoe fits…

Posted March 9, 2010 by ggebel
Categories: Uncategorized

Of course Jackson’s post on SAML vs. XACML for authorization caught my eye and I wanted to add some thoughts…

First, I don’t think it’s a Betamax vs. VHS zero sum game. Exchanging attributes (claims) via SAML tokens is a reasonable place to start for relatively simple application authorization. I will resist the urge to respond as a purist and won’t point out all the extra benefits you get from going to the XACML model :-) . What’s important is finding a practical approach that is suitable for the requirements at hand and complementary to existing IdM infrastructure.

At Axiomatics, we do talk to organizations that want to get deep into sophisticated authorization services – and we think XACML is the right model for such scenarios. However, we acknowledge it is not a one-size-fits-all solution.

Where Microsoft goes with authorization will be interesting to watch. They have already sent a very positive signal to the industry with their claims-based approach to building identity-aware applications. In the mean time, XACML based authorization services are very compatible with claims applications.

Comments: 1 Comment

XACML workshops in San Francisco and Wash DC

Posted February 19, 2010 by ggebel
Categories: Workshop, XACML

Please join us in San Francisco or Washington DC for an XACML workshop.

“This is a two day XACML introduction course, including hands-on training. It will be provided by leading XACML experts with in-depth experience from some of the world’s largest XACML deployment projects. Based on their attendee experience, there will be a mix between high-level aspects and technical details. We cover best practices and discuss how you avoid common pitfalls in the deployment of an Attribute Based Access Control (ABAC) solution. However, we also ensure you get a thorough understanding of the XACML request/response and policy languages. You will create and debug your own XACML policies and run access requests against them to verify that you get the response you expect.”

San Francisco, March 9-10

Washington DC, March 16-17

*** ALERT: These workshops have been rescheduled – dates TBD! ***

Comments: 2 Comments

Transitions

Posted February 16, 2010 by ggebel
Categories: Professional
Tags:

After nearly 10 years at Burton Group, I’ve decided to join Stockholm-based Axiomatics to lead their U.S. operations. Working at Burton was a wonderful experience that benefited me immensely personally and professionally. This has been an amazing time in the IdM industry, and hopefully we were able to instigate some positive changes along the way.

Joining Axiomatics gives me an opportunity to work on the supplier side of the industry – and be more actively engaged in helping enterprises solve problems! This job is going to pose lots of new challenges for me, but I look forward to all of it.  Babak and Erik and their team in Stockholm have created a great authorization platform based on XACML, so you can to hear a lot about that from me in the future…

I’ve started this blog so I can have an outlet for musings on identity topics, and other areas of interest. Thank you for all your support over the years and I look forward to working with you all in this new capacity.

Comments: 7 Comments

Newer Entries »
Follow

Get every new post delivered to your Inbox.