Research

At the Cloud Identity Summit last week, Craig Burton stated the SAML – the security assertion language that helps thousands of enterprises address single sign-on – is unequivocably dead. Kaput. He presented the following data points to support his argument (I will link to his presentation when available): Proliferation of APIs: There are so many APIs, billions in fact, and we have thousands popping up every second, that we cannot ever hope to integrate them with SAML. The effort is too great, and integration is too complex, for all the services to address the scope of the problem. Scalability: SAML cannot scale to solve the cloud’s many-to-many problems, and is too cumbersome to address such a large problem. Lack of support: His final point is that all the major backers have stopped financial support for SAML 2.0, and it appears that no one is driving advancement of the standard. Without more support fundamental limitations in the standard simply cannot be addressed, and support is shifting to OpenID Connect. Three solid points. But do they mean SAML is dead? And what the heck does ‘dead’ mean for a product anyway? One the first point, I disagree. There are different ways to scale solutions like SAML, and there are indeed billions of APIs, but we do not we want or need SAML to give us SSO to all of – or even a significant fraction – of them. That’s a rather silly utopian dream. And the lack of support for revising a standard does not mean that it is obsolete – or that we should stop using it. That’s my take and I’m sticking with it. I was originally going to title this post is “SAML IS Dead”, but that’s not what we should be talking about. SAML’s longevity, and how much faith customers should put into technologies called ‘dead’, are only part of the problem. This most recent claim is only one instance in a long-running series. We have seen people – no, let’s call this one correctly – analysts – say stuff is dead. All the freakin’ time. IDS, anyone? How many people have said Windows is dead? It’s like any limerick that starts out “There once was a man from Nantucket …” – after the first few you know the pattern. To an analyst there is value to doing this. Advising customers when a technology has been superseded, or will likely be obsolete within a few years, is useful. It helps companies avoid selection of suboptimal technologies, and investment in inferior choices when better options exist. But labeling something ‘dead’ has become every analyst’s favorite way to be a drama queen. It’s to get attention, and to exaggerate a point when you don’t think your audience is paying attention. I understand why it happens, but it’s not helpful. It fails to capture the essence of the slow evolutionary replacement of technologies. History has shown it’s just as likely to be wrong, to mislead customers, or both. Why call products dead when everyone is still using them? Many people on Twitter had the same thought I did – PKI, IPV4, Kerberos, AV and firewalls, have all been ‘dead’ for years – but they all remain in wide use with no indication of actually going away. Worse, when we say older standards are now made obsolete by new standards – which are yet to be finished, much less adopted – we often fall on our faces when the new standard gets stuck in committee and turns out to die while the ‘dead’ predecessor lives on. We have seen cases where simplicity of concept (UNIX) trumps a grand vision (MULTICS). And we have seen cases where technologists want something to die (IE 6 comes to mind), but the general population sees value and utility in the product. Plenty of technologies which are wished or “supposed to be” dead continue to be essential computing and security. So maybe dead means “dead to me” – an entirely different meaning. Share:

“WTF? There are no security people here! I’m at a security conference without security folk. How weird is that?” I just got back from the Cloud Identity Summit in Vail, Colorado. Great conference, by the way. But as I walked around during the opening night festivities, I quickly realized I did not know anyone until Gunnar Peterson showed up. 400 people in attendance, and I did not know anyone. I’ve been in security for something like 16 years. When I go to a security conference – say RSA or Black Hat – I see dozens of people I know. Hundreds I have met and spoken with. And hundreds more I’ve met over the years, whose names I can’t remember, but I know we have crossed paths. I was at a security conference, where only two other people in attendance attend any mainstream security events. Seriously. And one of those two works with me at Securosis. This is amazing. Amazingly bad, but still shocking. Why are these two crowds separate and distinct? Identity and access managements is security. But the people who attend identity events are not and will not be at Black Hat. They are definitely not the people at DefCon. I am guessing that is because of the different mindset and approach between the two camps. I was talking with Gunnar about how the approach in identity now is about building capabilities and interconnectedness. Security is still mostly about breaking stuff to prove a point, with a little risk analysis thrown in. I say identity is enablement, while security is disablement. Gunnar said “IAM is about integration; security is about stopping threats”. That’s the difference in mindset. And if any two audiences need to cross-pollinate, it’s these two. Be honest: how much do you know about SAML? When was the last time you used the phrase “relying party” in a sentence? PIP? Yeah, that’s what I thought. The other big takeaway from the event was how cloud computing architectures are changing the way we use identity services. We’re not talking about moving Active Directory to the cloud – it’s an entirely different approach. At Securosis we talk a lot about the need for security companies to stop ‘cloudwashing’ their marketing collateral, and instead redesign parts of their products from scratch to accommodate different cloud service models. Identity providers are doing this, in a big way. Another thing the conference highlighted is the failure of perimeter-based security for cloud computing, and how that applies to identity. For most of you reading this, that’s not a new concept – but seeing it in practice is something else entirely. In years past I have called identity “front door security”, because it’s the technology that secures the main entry point for applications and services. It still is, but the “front door” is dead. There is no front door – as the perimeter security model dies, so does the concept of solid walls guarding content and systems. This has been a key theme in many of Chris Hoff’s presentations over the last several years, and was the theme of this identity conference in Colorado as well. But it hits home when you see that major cloud providers are in the second or third phase of maturity when it comes to federated identity and SSO outside corporate IT. Services Oriented Architectures have many public facing portions – with many cooperating services working together to determine identity, access rights, and provisioning. I will have much more to say about the different architectures and supporting technologies in the coming months. All in all the Cloud Identity Summit was one of the better security events I have ever been to. Being in Vail helped, no doubt, but the conference was well run. Good speakers, good orchestration, plenty of coffee, and the most family oriented conference I’ve ever been to in any industry. I’ll be going back next year. And if you are in security you should check it out too. Honestly, people, it’s okay to Cross the streams. I know hacking is far sexier than writing secure code, but it’s okay to learn about positive security models as well. Share:

It probably does not need to be said, but just about the entire Securosis team will be at Black Hat this week. And no, not just for the parties, but there will be some of that as well. I want to see a boatload of sessions this year – and I am betting Moss, Schneier, Shostack, Ranum, and Granick on stage together will be entertaining. On Wednesday David Mortman will present The Defense rests: Automation and APIs for Improving Security. I think this will be a great session – the topic is very timely, given the way firms are moving away from SOAP-based APIs to REST. You should see this one too – rumor is that Kaminsky’s presentation is very boring, and API security is way more interesting than that old network stack/DNS stuff. This Friday at DefCon David Mortman, Rich Mogull, Chris Hoff, Dave Maynor, Larry Pesce, and James Arlen will all present at DEF CON Comedy Jam V, V for Vendetta. I have seen parts of Rich’s presentation, and it’s definitely something you’ll want to see as well. Me, I am going to be… actually I have no idea where I will be. I’m proctoring sessions, but at this moment I have no idea which ones. Or when. Unlike previous years, I am “schedule challenged” – but fear not, for those of you I said I want to meet, I will get in touch when I land in Vegas and figure out my schedule. Looking forward to seeing you there! Share: