Archive for May 2010

Why are security phrases a bad idea?

May 19, 2010

The title of this post was the security pass phrase question I chose when registering for online access to a financial services firm. I called aforementioned financial services firm today and when prompted for the answer by the customer service representative, I responded “because you can’t remember the questions or answers.” Unfortunately, that was not the correct response to this knowledge based authentication (KBA) question. However, this experience is another example of why static KBA systems are a bad idea – usability. I registered for access so long ago that I can’t remember the response (I usually include them in my password safe, but did not in this instance). Being an identity-privacy zealot, I did not enter one of the usual KBA questions like, what was the first car you owned or where did I go to high school.

Why are static KBA systems still in use? They are a very weak link in the security chain, but used by so many web sites including, supposedly, security conscious banking sites. In the age of Google and Facebook, the list of good KBA questions is effectively zero. I will be happy when my account is closed with this financial institution!


Small Vendor “Risk”

May 6, 2010

What is the real risk of choosing a small, innovative vendor for your critical IT projects? On the one hand, you can purchase a product built by a vendor that specializes in a specific functional area, is passionate about customer success, and adjusts priorities to meet your particular business requirements. On the other hand, you can choose to purchase an average product, built by a vendor that has a product list bigger than the national debt, is passionate about their profitability, and pressures customers to buy into a grand vision.

What choice do you make? Which option will ensure the success of your business objectives?

Stand Up For Standards

May 6, 2010

Andre Durand’s keynote yesterday at the EIC conference contained many quotable quotes, but the one that stood out for me was, “Enterprises must stand up for standards.” Andre said this while describing the role pure play vendors have in the greater IT community – keeping the large vendors honest regarding their commitment to standards.

IdM standards offer the promises of interoperability, independence from vendor lock-in, and future-resilient systems. Does your vendor have the same perspective?

Enterprises can let vendors off the hook if they don’t inquire, specifically, as to how a product implements a particular standard. Do you ask, in advance, detailed questions about how completely a standard is supported? Does your vendor avoid directly answering these questions, or are they forthcoming?

During product evaluations, there are times when purchasers can compromise on any number of issues. Let’s face it; there are no perfect products available. And, no vendor has anticipated every use case. Deadlines are looming, we have to make a decision.

Ultimately, enterprises hold the power and influence in their budgets. Are vendors serious about their commitment to identity management standards? The answer can be found in your purchase order.

Some Business Stakeholders Might Want Your IT Project to Fail

May 6, 2010

What?! That was my response when hearing Dr. Rainer Janssen, CIO of Munich Re deliver his keynote presentation at the EIC conference this week. Dr. Janssen offered many perspectives that I had not heard or thought of before. Many an article has been written and presentation offered that discusses “alignment” of business and IT. Most of these supposed tenets were turned upside down or inside out during a very interesting presentation.

Some business stakeholders might want your IT project to fail? Really? I thought we invited stakeholders to IT projects to make them succeed. The lesson here is; make sure you know the motivations of stakeholders that you invite to the project. The worst case is not knowing they might be pulling against you – until it’s too late.