One of my favorite industry events was last week, the 2013 Cloud Identity Summit. Last year’s was in Vail, Colorado, so I thought this year couldn’t top that. Wrong. This year was at the Mertiage in Napa – nice hotel, nice Italian restaurant, stunningly helpful staff, and perfect weather made for a great week. And while I was sorely tempted to tour the Napa Valley, I found the sessions too compelling to skip out. Here are a few of the highlights:
- AZA vs. KNOX: As I mentioned earlier this week, while 2012 centered on infrastructure and identity standards (OAuth, OpenID Connect, and SAML) to enable cloud services, 2013 focused on mobile client authentication and Single Sign-On. SSO is still the challenge, but now primarily for mobile devices, and that is not yet fully sorted. This is important because mobile security is itself an identity problem. These technologies give you a glimpse of where we are going after BYOD, MDM, and MAM. Between my KNOX vs. AZA mobile throwdown and Gunnar’s Counterpoint: KNOX vs. AZA throwdown we covered the high points of the discussion.
- WebDevification: An informal poll – okay, the dozen or so people I asked – felt Eve Mahler’s presentation was the best of the week. Her observations on the ‘webdevification’ trend that mashes third-party APIs, cloud, and mobile really hit the conference’s central themes. API gateways and authentication tools like OAuth that support that evolution, are turning traditional development paradigms on their ears. More importantly, from a security standpoint, they show that we can build security in without requiring developers to be security experts.
- Slow cloud IAM adoption curve: Like the cloud in general, adoption of IdaaS has been somewhat slow. But moving to IdaaS is conceptually daunting. I liken the change to moving from an Earth-centric to a sun-centric view of the solar system. With IAM we are moving from on-premise to a cloud-centric view of IT. Ping’s CEO Andre Durand did a nice job outlining the typical client maturity curve of SSO to SaaS integration to Federation to IdaaS, but the industry as a whole is still struggling at the halfway point. Why? Complexity and compliance. Complexity because federated identity has a lot of moving parts, and how we do fine-grained authorization and provisioning is still undecided. More worrisome is moving confidential data outside the enterprise without appropriate security and compliance controls. These controls and reports exist, but enterprises don’t trust them… yet. But Andre made a great point: We had the same reservations about email, but once we standardized the SMTP interface email became a commodity. The result was firms like Hotmail, and now most firms rely upon outsourced email services.
- 2FA on mobile: I Tweeted: “Am I still the only one who thinks mobile browser based 2FA is kludgy?” at CIS. Because SMS would be my first choice, but it is not available on all devices. HTTPS is a secure protocol available on all mobile platforms, so it’s a great choice. But my problem is not the protocol – it’s the browser. Don’t design a new security system around one of the most problematic products for security. XSS and CSRF still apply, and building new systems on top of vulnerable ones justs enables a whole new class of attacks. Better to find a secure way to pass challenge to mobile devices – otherwise use thumbprints, eyeball scans, voice, or facial recognition instead.
- FIDO: Due to the difficulties standardizing authorization on different mobile platforms, the FIDO alliance, which stands for Fast IDentity Online, is developing an open user authentication standard. I hadn’t paid close attention to this effort before the conference, but what they presented was a sensible approach to minimum requirements to authenticate a user on a mobile device. Befitting the conference theme, their idea is to minimize use of passwords, enable easier/better/faster authentication, and help the community link cloud services together. This is one of the few clean and simple identity standards I have see so I recommend taking a quick look.
CIS is still a young conference, and still very developer-centric, which I find refreshing. But the amazing aspect is that it’s a family event: of 800 people, about 200 were wives and children of attendees. Each night a hundred-plus kids played right alongside the evening festivities. This is the only ‘community’ trade event I have been to that is actually building a real community. I highly recommend CIS if you are interested in learning about the cutting edge of identity and authorization.
On to the Summary:
Webcasts, Podcasts, Outside Writing, and Conferences
Favorite Securosis Posts
- Adrian Lane The Temptation of the Developer. A scarier “insider threat”.
- David Mortman: Intel Software Guard Extensions (SGX) Is Mighty Interesting.
- Mike Rothman: Counterpoint: KNOX vs. AZA Throwdown. Great research (or anything really) requires an idea, and then smart folks to poke holes in it to make it better. It was great to see Gunnar make great counterpoints to Adrian’s post, which was also great. That’s why we hang out with smart guys: they make us smarter.
- Rich: PCI Standards Flow Downstream. Ah, PCI.
Other Securosis Posts
Favorite Outside Posts
- David Mortman: How Experts Think.
- Mike Rothman: Dropbox, WordPress Used As Cloud Cover In New APT Attacks. Hiding in plain sight. With cloud services aplenty we will see much more of this – which makes detection that much harder.
- Adrian: Malware Hidden Inside JPG EXIF Headers. There are too many ways to abuse users through browsers.
- Rich: Kali Linux on a Rasberry Pi. Years ago I struggled to get Metasploit running on my wireless router as part of my DEFCON research. I never pulled it off, but this sure would have made life easier.
Research Reports and Presentations
- Quick Wins with Website Protection Services.
- Email-based Threat Intelligence: To Catch a Phish.
- Network-based Threat Intelligence: Searching for the Smoking Gun.
- Understanding and Selecting a Key Management Solution.
- Building an Early Warning System.
- Implementing and Managing Patch and Configuration Management.
- Defending Against Denial of Service (DoS) Attacks.
- Securing Big Data: Security Recommendations for Hadoop and NoSQL Environments.
- Tokenization vs. Encryption: Options for Compliance.
- Pragmatic Key Management for Data Encryption.
Top News and Posts
- DHS warns employees not to read leaked NSA information
- Blackhat And Defcon Parties 2013
- Quantum Dawn 2: US banks on cyber-attack defense
- The Security Pro’s Guide To Responsible Vulnerability Disclosure
- The Creepy, Long-Standing Practice of Undersea Cable Tapping
- How the US (probably) spied on European allies’ encrypted faxes
- Researcher finds way to commandeer any Facebook account from his mobile phone
- Crimelords: Stolen credit cards… keep ‘em. It’s all about banking logins now
- Oracles releases critical security update for Java, Apple follows suit
Blog Comment of the Week
This week’s best comment goes to Nikos, in response to Intel Software Guard Extensions (SGX) Is Mighty Interesting.
From the papers it seems that the purpose of SGX is to protect a piece of security critical code, i.e. the one within the enclave, from the rest of the system, and not the other way around. Hence, sandboxing and Java/Flash isolation, which essentially tries to protect the rest of the system from a the execution of a potentially malicious piece of code, doesn’t seem as an appropriate use case for SGX to me.
Reader interactions
2 Replies to “Friday Summary: Cloud Identity Edition”
I almost like that article about How Experts Think. I “think” it should be continued or slightly morphed a bit to talk about practice, practice, practice. It’s less about thinking selectively and more about experience. I can see how one leads to the other, but that just makes selective thinking (and thus efficient thinking) a symptom of the actual reason: practice/experience.
Still, I like the examples behind the piece.
IDaaS adoption is also slow because SAML 2.0 is a complete pain in the ass with everyone implementing it differently. This gets even harder when you start to roll in outside services that you have no control over.