New non-profit association will define, support and improve the digital identity profession globally, with support from Gigya, Ping Identity, Sailpoint Read more
Privacy and Contract Tracing
Contact Tracing is the concept of identifying persons who may have come into contact with an infected person and it is seen as a critical component of managing the spread of COVID-19, a particularly contagious and serious threat. Contact Tracing can be done manually, in cases where contact is known and limited, like within a hospital room. Or, it can be managed automatically in situations that are less well regulated using a proxy for a person – like a phone.
Is it possible to allow our phones to automatically gather our sensitive medical data and make it accessible to an app, without completely destroying personal data? While there are myriad bad ways to do this, Google and Apple are trying to do it in a way that most respects personal data privacy. We’re going to dig a little into what they’re doing and what privacy concerns still arise.
On May 20th, Apple and Google released an API that apps from public health organizations can utilize for the purpose of Contact Tracing. The API will let those apps use a phone’s Bluetooth to keep track of whether it has been in proximity with another contact tracing app user who later turns out to have been infected with Covid-19.
The apps will broadcast unique, rotating Bluetooth codes. The codes are derived from a cryptographic key that changes every day. This ensures that the users stay unique, and that their identity is hard to uncover, based on the frequency of code rotation.
The apps then monitor other contact tracing apps they come into contact with, and record the anonymous codes issued by those devices.
When a user reports a positive COVID-19 diagnosis, their app uploads the keys that were used to generate their codes.
All other apps download the daily keys and use them to recreate the codes they generated. If it finds a match with one of its stored codes, the app will notify that person that they may have been exposed.
The positives are that the phones stay anonymous, the data exchange is voluntary, and the reporting is completely opt-in. However, there are still a few possible attack vectors, as outlined below.
Privacy Concerns and Responses
Correlation Attack: User is identified by matching their image to the codes broadcast in their proximity.
This would require recording the person’s face while catching the code, then matching the code to the bluetooth signals passing by. This is not going to expose a high number of people, but is a potential risk.
Identification through additional data: App could choose to collect IP address, location, etc. to ID the user.
This could be mitigated by Apple and Google vetting any apps using their API. Otherwise, the user would need to be able to choose not to opt into the app.
Ad targeting based on beacon data: Companies set up their own beacons to track infected customers
This is possible but not super useful to companies, who have much more detailed data on their consumers buying habits. Companies could market based on COVID-19 remedies, but this is going to be a small benefit to the company.
All told, the risks to privacy are fairly well mitigated by Apple and Google’s choices about how to deploy this API. The biggest risk will be to ensure that the apps that are using the data aren’t augmenting it with additional information that could reveal the person behind the anonymous codes. This will mean it’s up to Apple and Google to vet the apps, or up to the end user to ensure they are selective about what supplementary information they grant to the app or which apps they’ll trust to be privacy protecting.
There’s another element to the success of these apps – how well will they actually work given the protective nature of Apple and Google’s solution?
Efficacy Concerns and Responses
Population must download and use the app. People may be fearful of how their data will be collected and used or may not care to adopt the app, which will limit usefulness
To address the fear of data collection, having a trusted source for the app, like a healthcare provider with strict access protocols and limited information could help assuage concerns that an unknown entity is accessing their health information.
To address the idea that we would need most of the population to use the app (a Forbes.com article suggests 80% adoption for smartphone users is necessary to be effective), governments could mandate app usage to access certain public spaces, travel, or return to work. This mandate would be problematic itself, however. It’s either discriminatory, since it will only work for those individuals who have a suitable device, carry with them at all times, and leave BLE enabled, or could only be enforced in situations where all parties are known to carry a device (e.g. employees granted a work phone.) And, it won’t work in any environment where radio transmission needs to switched off, like an aircraft.
2. The solution relies on the availability of testing to generate confirmed positive results There’s no way around this – there must be testing for this solution to work.
3. Trolls could report positive anonymously to disrupt the system
The system could require a code from the provider to log a positive result, or if the app is managed by health providers administering the tests, they could manage this directly, avoiding intentional false positives.
4. Bluetooth reports proximity but not whether you were actually in contact; contact through a wall/window/door could be reported where no actual contact occurred. This could generate false positives.
This could be managed by keeping the range for bluetooth low but otherwise may be a limitation of the system.
So, what’s the conclusion here? The privacy issues are relatively low, as long as apps don’t ask for extra data (or Google and Apple prevent it.) But the downside is that efficacy is also low for an opt-in app. This isn’t necessarily the fault of the high privacy approach, but more a reflection of how hard it is to get a large enough section of the population to use an app to make the result effective. It doesn’t hurt to have it, but other options, like manual contact tracing in local areas might be a more efficacious way to track people on a local level. Then, the locally collected data can be aggregated to create a clearer picture of the state of the virus.
At specific points in history, life shifts: rhythms change, patterns of behavior evolve rapidly, and cultural values reshape themselves. The current global pandemic is one of these societal salients.
It’s not the first time that this kind of transformation has taken place, of course, and examining a similarly radical revolution can inform how we view the current environment. If the color of the world is indeed changing, then it’s only appropriate that one of the parallels that we examine be the astonishingly rapid rise of the color blue.
In the beginning, blue did not exist.
Red, white, and black were the colors of ancient cultures; from cave paintings to the dyeing of fabrics—blue was more difficult to source, process, and manipulate, and so it remained a second-rate color, especially in the western world.
All of this, however, changed within a few decades in the 13th century. Artistic expression was driven by development of the “Chartres blue”, a new, brighter, and more luminous blue in glass form, which heralded a widespread adoption of the color in stained-glass windows in churches throughout Europe. Advances in clothing production also elevated the status of blue in textiles. A massive increase in production of woad, the raw material used in dyeing fabric blue, along with the associated rise in demand for the color, led to entire regions such as Languedoc (France) and Thuringia (Germany) becoming wealthy as they specialized in the production of blue and its associated products. By the end of the 13th century, a stable, bright blue cloth was widely available.
And as blue became more widely available, its semantic impact skyrocketed. Blue embedded itself into religion, as the new color was used to represent the robes of the Virgin Mary. It was also incorporated into the heraldry of various important families, and royalty was no exception to this affection for the new color. While the King of France was the first to adopt blue into his royal color palette, it was soon in use by the King of England, and later by kings in Germany and Italy.
In just a few short decades, then, blue went from having no cultural significance to representing some of the highest values of society: the purity of the Virgin, the power and prestige of royalty. The spectrum of meaningful color had expanded in short order, and the world was different as a result.
The world we live in is currently undergoing a similar seismic change. Previous patterns of working and living have been forcibly modified. One of the most foundational of these movements comes at the hands of “shelter-in-place” orders being enacted in various parts of the world: employees, no matter their industry or profession, are being forced to work from home.
The concept of working from home is not novel. With the adoption of mobile devices and the increase in broadband availability both in private and public areas, a small segment of the workforce had already adopted this model. Like the color blue, however, it was a secondary option, and its cultural impact was limited.
The spectrum of work has now shifted. Shelter in place orders have forced a global workforce to work from home. What had been an alternative mode of work has now become the primary—all within a few short months, if not weeks. Remote work is the color of 2020, and it is likely here to stay. Once blue arrived, innovation and investment drove production and created entirely new industries, and the forced adoption of this new mode of work will force a similar chromatic shift. People have a new color in their palette, and the world will be shaded differently.
In the wake of this transformation, the cultural impact of this shift awaits. In short order, blue came to be associated with health, power, and affluence. Will the same soon be said of working from home?
Certainly, from a business perspective, the value of this new way of working is already evident, particularly for organizations that have already developed the infrastructure to accommodate a pattern of remote work. This is not merely an installation of IT services such as a VPN, but also requires reconsideration of the established security mindset. While many of them may not have the scale to handle a complete and immediate transition to home-based employees, their transition to this brave new world will be smoother due to their preemptive investment in a revised security strategy.
This new approach to securing resources deemphasizes perimeter defense and elevates the role of identity. Various systems and names have been introduced (or reintroduced) to facilitate the practical development of these systems; zero trust and CARTA are a few strategies among many that attempt to translate this vision into a practical reality.
Businesses that have already begun this shift are likely to be less impacted by the maelstrom of change; while none welcome this new reality, organizations well-equipped for this new cultural value will be healthier in both the short and long term. Fewer disruptions in their business and continuity in their economic model will mean that they have a stronger chance of not just surviving, but being in the ascendancy as the crisis transitions into a different, hopefully milder, phase.
Even organizations with a solid security strategy, however, are subject to market forces. It is possible that the new dominance of remote work will alter the landscape of enterprise. Just as the rapid proliferation of the internet drove some organizations into the stratosphere and left others behind to languish in the “brick and mortar” mindset (the easiest example of this dichotomy is Amazon and local booksellers), working from home at this sort of scale has the potential to divide enterprises into strata of success. As a result, remote work may become semantically linked with health and with power—or their business-speak equivalents “profitable” and “innovative”—similarly to the new connotation blue acquired after it was employed by religion and royalty in the Middle Ages.
But the more profound potential for the cultural impact of working from home centers around individuals. In just a few short weeks the quarantine has shone a bright light on existing inequalities that are all-too-easily ignored.
The pandemic is revealing a caste system, one of whose demarcation lines is the ability to work from home. This flexibility is primarily dictated by both the availability of reliable broadband access and the specific occupation in question. Rural residents with limited network access, or those in specific sectors: the service industry, shipping and transport, food distributors, and government officials often have no viable option to work from a remote location—to say nothing of the healthcare workers who find themselves thrust to the front line of the pandemic.
For others, the ability to continue to work while staying home confers a wide range of benefits. The first is obvious: steady employment. With unemployment rapidly escalating, the pandemic is already having an effect on economies worldwide. If working from home means retaining a job, this primary benefit lays the foundation for the others that follow. The second advantage lent by remote work may be a bit more hidden: continued education for their children. Schools in 130 countries have closed, disrupting the learning of over 1.2 billion students. The same reliable network access which allows them to continue working also provides for the continued education of their children and puts those pupils at an advantage to their peers. Finally, the most striking benefit that working from home while quarantined bestows is a better health outcome. If the point of stay at home orders is to prevent interaction with outsiders, preventing the spread of COVID-19, then complying with these guidelines and working from their homes ensures that those individuals and their families are less likely to fall ill.
These are not minor benefits: affluence, education, and health. And if the pandemic and working from home are revealing an existing caste system, it is also reinforcing it. Those with the ability to work from home are finding their wealth protected, their children keeping pace academically, and their expected health outcomes confirmed.
After only a few short weeks of stay at home orders, both businesses and individuals are already associating a work from home model and increased health, power, and influence. As the quarantine continues, that connection will only strengthen. COVID-19 has transformed remote work from a relatively unused mode of employment to the only viable option, and the benefits that that model currently conveys will ensure its association as not just a possibility, but as a preferred way to work for many.
After a long period in relative obscurity, blue’s popularity exploded; the spectrum of the world expanded and blue rose to become the world’s favorite color in the space of a few short decades. Starting as an afterthought, it came to be strongly associated with positive ideals and well-being. Blue’s ascendance was astonishingly rapid, but the rate of worldwide change in this early portion of 2020 makes it seem glacial: the global pandemic has the potential to establish working from home as a cultural value—and to equate it with health, affluence, and power in only a few short months. The color of the world is swiftly changing once more.
Mike Kiser
Global Security Advocate, Office of the CTO
SailPoint
The Experience of Identity
Or The Art of Getting out of the Way
Most people basically don’t care about online security and privacy – at least, until something goes wrong. Most people care about getting stuff done. When most people go online, they do so to interact with friends or colleagues; to shop; to do work; to use local or national public services; to file taxes; to fill in school applications; to play games…. In other words, for most people, ‘real world’ and ‘digital world’ overlap and intersect in increasingly fluid ways. And just as in the real world, if we put barriers in the way – no matter how well-intentioned – most people will make a choice to use someone else’s service.
Let’s take the exceptions, first. It is certainly true that if I want to, for instance, open a bank account, or apply for certain benefits – in person, at a bank branch (if you can find one!) or regional government office – I may need to present one or more ‘proofs of identity’. The exact process will differ from country to country, but the basic principle is the same. Yes, it’s a little annoying… but it doesn’t happen very often, and we all (mostly) understand why we are being asked to follow the process. Most important: the ‘cost’ to us, in terms of the inconvenience, in most cases balances out against the value we ascribe to the service.
Likewise, when we go shopping (IRL) the process of buying something is generally pretty quick and simple. I don’t have to answer a bunch of questions, or agree to terms and conditions, or figure out whether or not to tick the box to accept marketing information. I pick my items, hand over my cash (or tap my card, or whatever) and I’m done. Barrier to entry very low – ease of transaction very high – everybody wins.
Unfortunately, we have developed habits over several years of making it really hard for most people to do simple things online. I’m sure we all have our own favorite egregious example. Here are a couple of mine, suitably anonymised.
Exhibit One: an international budget hotel chain. They have an app for making reservations. On the opening screen of the app, they provide this nice consent box:
Two problems here. The first is rather fundamental: I’m prevented from booking a room unless I agree to receive marketing. Well, that’s just naughty. The second problem is more subtle: I have to agree to the terms and conditions before I open the app. Imagine this as a phone booking instead:
Prospective customer: Good morning, awesome hotel! I’d like to book a room, please.
Ostensibly awesome hotel: Sure! We’d love to have your business! Before we do anything else, though, I need to read you our privacy notice (which is only 10 pages long) and our commercial terms and conditions (we have a great new version of these which is only 8 pages long!), and then you have to agree to it all. Is that OK?
Prospective customer for a different hotel: (decides this is not such an awesome hotel, and hangs up)
Not very awesome hotel: oh dear, there goes another customer
Being cynical, one rather imagines that the hotel chain is hoping that people will just check the boxes as a quick way to skip over the barriers here; and they are probably right. But even then – leaving aside the dubious ethics and legality – it’s not a great experience. What I want to do is to make a reservation!
Exhibit 2: MFA. So let’s be clear. There’s no question that MFA is a lot better and a lot easier to use than it was. There’s no question that MFA makes a tremendous difference in terms of things like account takeover. But here’s the rub. Most people don’t care. Case in point: in my spare time I manage a set of online services for a local charity. Our users are smart people, but they are not technologists. We use three different platforms to run the charity; two quite specific to the org, and one which is a very common business services platform. And we use online banking. The online banking service and two of the three platforms offer MFA (or, at least, 2FA). They all do it differently. The bank and one of the charity platforms have (different) custom solutions. The common business platform uses an industry standard solution… but the onboarding process, especially for non-technical people, is byzantine. As a result, it has taken over 12 months to get a team of 10 people properly configured. No-one is happy, because there are multiple systems to contend with (none of which are particularly user-friendly) and we’ve only succeeded because the threat of non-compliance with GDPR best-practices has forced individuals into action.
There are plenty of other examples – one which gets quoted a lot is the ‘having to create an account before you do anything’. This particular design pattern, I’m pleased to say, appears to be on the decline. I’ve had several online shopping experiences recently where the choice to create an account was just that: a choice. Presented to me after I completed my purchase. And you know what? In one case, I knew I was unlikely to visit that particular store again, so I saved myself the time – and in so doing I also saved the company from having to maintain and secure an account for me which was going to serve no useful business purpose!
And that’s the point. We – and the business leaders who inform the projects we work on – have fallen into habits and patterns which, in many cases, had sensible security or privacy or operational purposes behind them but which ended up getting in the way of the customer. And we could have – we can – do things differently. Standards like FIDO and WebAuthN and SAML and OpenID Connect (and many more) certainly help. We should take care not to compromise security and privacy in our efforts to improve usability. But we should start to prioritise designs which actively help users get things done. Which, more often than not, means getting out of the way.
Andi Hindle
Independent Consultant
IDPro Board Member
Virtual Conferences : Silver Linings
Around this time of year, we typically highlight the major digital identity conferences coming up. The value of these in-person get-togethers is manifold. We exchange ideas with our peers; we find solutions to vexing problems; we progress standards and architectures and designs. We generate new business or develop our careers. We build and renew professional and personal relationships. And we have fun!
During the course of a normal year, a huge number of identity professionals, IDPro members and non-members alike, get the opportunity to attend conferences – and other less formal meet-ups – often just to attend, sometimes to speak or to participate actively in other ways.
This year is decidedly not a normal year.
Most events have either postponed until later in the year, in the hope that the situation will have resolved sufficiently to allow people to attend. Identity Week London, the new Authenticate conference, and Know Identity fall into this camp. Others, including the European Cloud and Identity Conference (a.k.a. “EIC”) and Identiverse ® , are moving to some form of virtual delivery.
Much of my day job revolves around managing the agenda for Identiverse ® – one of the major events in the Identity conference season, and IDPro’s ‘home’ show. We announced back in March that we would switch to a virtual delivery model this year. In doing so, we spent some time thinking not only about how to preserve some of the core elements of Identiverse ® that long-time attendees will know make the show special, but also whether the online delivery model offered us any new opportunities.
We’re still ironing out some details, but here’s a preview of what you can expect.
First, we know that the main reason people come to Identiverse is for the content. We have over 80 hours of material, most of it carefully selected by the content committee from our open and public call for presentations. If you have ever put in a proposal to speak (whether at Identiverse or at some other event) you’ll know that quite a lot of work goes into it even before you start building out your deck… and it’s a real buzz to get selected, even for veteran presenters! We certainly wanted to make sure to maintain as much of this year’s published agenda as possible.
However, we also recognise that no-one is going to be able to devote the same amount of time in a single sitting to an online event as they would to an in-person conference. So, instead of simply transplanting the original 4-day event directly online, we’re taking the original material and spreading it out across several weeks, in much shorter blocks of time. Starting in early June there will be a couple of broadcasts most days – many featuring live Q&A with the presenter. Most of the material will also be available after the event so that people can watch at their leisure.
We hope that this preserves much of the essence of Identiverse: quality content, peer-to-peer interaction, and flexibility of viewing. But in addition, by moving to a virtual setting, and by making the event free of charge, it means that many more people will be able to attend, no matter their location or their personal circumstances. And we’re looking at some other possibilities, including some virtual networking and socialising ideas.
The detailed agenda is already on the Identiverse website (with new filtering capabilities) and the broadcast schedule will be coming soon. The agenda is, as usual, broad; and plenty of IDPro members – both individuals and companies – are represented!
As noted, other events are taking similar approaches. All of which means that, in spite of all the challenges we face at home, and at work, it turns out that there are more opportunities than ever to deepen existing skills, learn new ones, and connect with our peers around the world.
For me personally, I know that I will miss heading to Munich for EIC, with meet-ups in beer gardens, and pretzels, and vast platters of pork. And I will miss the intensity of Identiverse week, and the glass of scotch that I enjoy with a few friends as a treat at the end of a busy week.
But this year, I will actually get to watch all of the presentations at Identiverse; and I will make new connections with Identity professionals who I wouldn’t otherwise have a chance to get to know. And… I’m sure I’ll find a way to enjoy that end-of-show drink, even if we have to do it over a web conference 🙂
So make the most of the opportunities that this year’s conference season brings. It will certainly be a different experience… and sometimes, different can be better!
Andrew Hindle
Identiverse Content Chair, Independent Consultant, Board Member IDPro
Let’s Play! Dating Strategy of Malware Technique
Catfishing
Dogfishing
Sniffing
Ghosting
Rooting
Benching
Doppelgänging
Roaching
Pharming
Haunting
Kittenfishing
Phreaking
Orbiting
Cracking
Phubbing
Breadcrumbing
Stashing
Spoofing
Submarining
Snooping
Mooning
Throning
Wardriving
Tindstagramming
Vulturing
Zombieing
Piggybacking
Social Engineering
Dating Strategy: 2 (really?), 4, 6 (my entire middle school experience both socially and athletically), 8 (is askmen.com the best source for dating advice?), 10 (cosmo is definitely the canonical source for this kind of info, and possibly originates most of it), 11 (rampant on linkedin, to be fair), 13, 15 (also useful in parenting), 17, 19 (I’m just as surprised as you that NPR covered this), 21 (again, a good portion of my middle school experience, but it had nothing to do with dating), 22 (do you need 12 steps to identify this?), 24 (just completely, completely wrong)
Malware Technique: 3, 5, 7, 9 (not the worst thing that can happen to your DNS), 18 (I’m setting a ringtone for “nuisance likely”), 23 (still one of my favorite techniques for the change of scenery alone), 27 (if you haven’t, do an internet search for Deviant Ollam’s youtube series to see an artist at work)
Both: 1 (and additional meanings as well: how is this even a thing?), 12 (Don’t Google this, trust me), 16 (old-school action – it’s what got Mitnick hooked), 20, 25 (if we’re counting media coverage), 27, and, not surprisingly, 28
Scoring Rubric:
1-10: You’re likely skilled in either the Mad Max Beyond Thunderdome that is the online dating scene, or you’re a highly sought-after security mercenary. As this simple quiz shows, the Venn diagram for those two categories resembles a map of two seas that lie on opposite sides of Asia.
11-20: The sweet spot in the bell curve, also known as the normal or Gaussian or Laplace-Gauss distribution. (And yes, I may have been spending too much time looking at statistics and graphs during the last few weeks.) Bonus points will be awarded based on the number of these terms you can work into your next conference session or video call with your elderly parents, whichever comes first. 20-28: While your achievement is laudable, please note that the authorities (and your Tinder / Bumble / FarmersOnly contacts) will be notified for their own safety and wellbeing.
Making it Work – Newsletter Editorial
This year started out looking pretty busy. From my home base in the UK, I travelled to Denver for a week’s worth of meetings in early January. Ten days later I was in Japan for the OIDF/J conference and a number of (very enlightening!) working group meetings. 3 weeks after that, I was back to the US for the RSA Conference in San Francisco.
In between Japan and San Francisco, I was tested for COVID-19 in line with the UK guidelines, because I had developed a sore throat a few days after my return from Tokyo. The general consensus from the doctors I worked with was that it was highly unlikely to be anything other than a regular “travelers’ cold”, and so it proved, but I was nevertheless asked to self-isolate at home for the week or so it took to process the test (testing times have improved quite a bit since then).
As I write this, we find ourselves confined to barracks once again, though this time on a national basis. My wife is working from home as best she can, although occasional trips to the office are still needed. Schools here shut down nationally at the end of last week. We are doing our best to provide some structure for the kids, whilst recognizing that we are not teachers. And my busy year is continuing, but in a very different configuration. Much of my independent consulting work is on hold for now; but my role with Identiverse, where I’m responsible for the agenda, has taken on a new urgency as we work to figure out the most effective way to bring the content from the conference to everyone in the absence of an in-person gathering.
In many ways, though, I am fortunate. I have been working from home for many years, and I’ve developed routines and strategies for doing so. Many people now find themselves #wfh for the first time, and it’s challenging. Yes, there are plenty of ‘helpful’ sites around with recommendations for how to set up the perfect home office… but they don’t generally account for the practicalities of real life — a couple of young children who need entertaining; a spouse who also needs to work (and whose work habits are quite different from your own!); slow and glitchy internet; not enough space on the dining table to set everything up; and a manager who is also stressed and who has never tried to manage people remotely! And to top it all off, many of the things we normally do to relax and de-stress are off the table, at least for now; and behind it all, we are of course concerned about family, and friends, and what the future might bring.
Well, I can’t for one moment pretend to have answers for all of that! Marla Hay from our editorial team presents a few nuggets of wisdom of her own later in this newsletter. I’d like here to offer four pieces of advice based on my own experience, which I hope will be helpful both for individuals and for managers.
Burn Out
The risk of overdoing things is surprisingly high, and is not to be underestimated. People tend to focus on the opposite problem — not doing enough — and that’s certainly something to be aware of. But there is a significant difference between the level of concentration when working by yourself, and what you typically experience in a busy office environment. No brief discussions with colleagues at the water cooler; no interrupts at your desk from passing co-workers; no opportunity to go and have an impromptu brainstorming meeting over lunch. For a day or two, it’s fine; it might even be welcome! But maintaining this level of focus for a week or two is ill-advised and counter-productive. A little like embarking on a long bike ride or run: your sustainable pace may initially feel a lot slower than you think reasonable. That’s OK. Better to start slower and speed up later if you find you have the capacity. Even as little as two or three two-hour blocks spread out through the day might be all you can achieve. And remember: what works for one individual doesn’t necessarily work for everyone! Some people do better with a one-day-on, one-day-off pattern.
The next two recommendations should be useful by themselves as well, but will also help with pacing.
Structure
For people who already naturally work in a highly organised manner, this will come fairly easily. The challenge for these individuals tends to be ‘trying to fit too much in’. If you aren’t used to working from home, the temptation is to schedule every minute of every day. Resist. You need time to breathe.
For those who don’t — and I count myself amongst this group! — the lack of the enforced discipline that can come from working in person with colleagues, or the distraction-free environment of a plane, train, or café, can be hard to manage. There are plenty of techniques to try: blocking out time in the calendar for a specific task; or for a general group of activities (so allowing you to still be flexible about exactly what you tackle at a given time). Changing your environment at home if you can – maybe working on the sofa for 30 minutes before relocating to the desk for the next 30. Even just changing the music you listen to can help. Some people prefer to use several approaches and cycle between them. But whatever you do, do something, and if it’s not working, try something else. Some kind of structure is crucial to make sure you stay productive.
Tolerance
This one is obvious… sort of. First off, you need to recognize that your colleagues — and your managers, and your direct reports — are all struggling with their own challenges. Work may take longer. People may be less responsive, or become unavailable at short notice. Kids will show up in the background of video calls. Make allowances accordingly and be as supportive as you can.
If you are at home with family, though, you need to remember to be tolerant of their needs as well. It can be really hard for your house-mates (spouse, children, significant other) to adapt to you ‘being at work’ when you’re actually ‘at home’ – especially if you can’t establish some kind of physical separation. You may need to find some way of indicating that distinction that you can all agree on… and then remember that it still won’t always work.
If you are used to working from home normally, you may find yourself with a set of new frustrations: other people now occupy your workspace, and you don’t quite know what to do about it. You may need to reassess your typical daily routine and find alternative ways to manage things.
Finally, be tolerant of yourself. If you are new to this, you are going to have bad days. You’ll have days where you feel like you got nothing done. You’ll have days where you completed all your work tasks, but forgot to do the shopping. And you’ll have great days where everything clicks… and wonder why all your days can’t be like that. Don’t beat yourself up: it’s the same for everyone.
Contact
Finally, don’t forget the importance of community. From a work perspective you may want to make an extra effort to stay engaged. Even if you are not normally the sort to join in the #random channel or the newly-established wfh@mycorp.com distribution list – now is the time to do so. You might also want to look for other peer groups meeting outside of the direct work environment.
But do remember that you also need downtime. Maybe whatever local activity you’re involved in is developing a virtual presence… maybe you can help them! Active cyclist? Try Zwift (or another virtual cycling app of your choice!). Avid book reader? Plenty of virtual book clubs around. Budding mixologist? Online cocktail hours abound.
For IDPro members: if you didn’t already engage via Slack, now is a good time to do so. And we’ve established a #wfh channel there to share tips and tricks, and frustrations 🙂 It all helps.
This is my final article for the newsletter in my role as newsletter committee Chair. Having been in that post since starting the newsletter 24 issues ago, it’s time for a new hand at the helm. I’m delighted that Jon Lehtinen will be taking over, and I look forward to continuing to contribute where I can as a regular member of the committee. Jon will no doubt be looking for new contributors; and now is a great time to step up.
With that: thank you for reading, and stay safe.
Andrew Hindle
Independent Consultant, Board Member IDPro
10 Tips for Working From Home from IDPro
Thanks to COVID-19, many of us in the Identity industry have shifted to working from home. Although you may be grateful to be in an industry that can work from home, that doesn’t mean it’s always easy. As someone who has worked remotely for the last few years, here are a few tips for surviving and thriving while working from home during this uncharted time.
These are not normal circumstances! Remember that these are extraordinary times, so working from home may feel harder than it would under ordinary circumstances. Even as a fully remote employee, the last few weeks of work have been hard for me. There’s a pandemic, you can’t see your elderly relatives, your kids may be at home, and people you know may have contracted COVID-19. Give yourself a break. The world is just not particularly conducive to concentrating at the moment. Be kind to yourself and to everyone else, too.
Find a comfortable space to work. Ideally, if you can get a room to yourself, awesome. If not, just find a place where you’re comfortable sitting or standing for potentially a few hours at a time. I will try to hit as many of the rules for ergonomic sitting/standing as possible (here’s an example of those: https://www.publichealthnotes.com/ergonomics-and-its-10-principles/). For me, the most important is to look slightly down at my monitor. I have nagging neck issues and this one makes the biggest difference for me.
Move your work area during the day (if you want to). When you’re working from home, there aren’t the same natural triggers to move around, like going to a meeting room on a different floor or building, getting lunch out, or visiting with a coworker. Some days, I will realize I’ve been sitting in the same chair, in the same spot, for 10+ hours. Honestly, for me, some days that is 100% fine. But sometimes I feel like I’m going stir crazy and will move meetings to my kitchen or living room. I love it when my co-workers do that as well, because it means we may get an appearance from a pet or kid or two. (And if you’re worried about people experiencing your two/four/no legged family members – don’t be! It’s the best part of every meeting.)
Get up Even, or especially, if you don’t/can’t abide by tip #3 – make sure you get up during the day. Because of the aforementioned lack of natural triggers to move around, be sure you’re standing up, stretching, and generally moving around to keep blood flowing and catch any bad working positions before they get significant. I can always tell when I stop to stretch if I’m in a bad position for my neck, and moving around for even a minute or two can tell me I need to change my working position. And, since sitting is the new smoking, getting up intentionally can help stave off those longer term health concerns while you’re working from home. If you can, you may even try creating an environment where you can work in a standing position for periods of time.
Take breaks (long and short!) Make sure you structure your day with breaks included. Sometimes I will fill my day with meetings, including scheduling over lunch, or back-to-back-to-back because I’m at home. Schedule breaks into your schedule to hang out with your kids, take a walk (6 feet away from everyone else!), meditate, whatever refreshes your mind/body/spirit. Since my kids are home from school, I’ve also started scheduling small chunks of time to do lessons with them over the course of the day. (Nothing like working and homeschooling during a pandemic for refreshing mind/body/spirit, amirite?)
Designate eating times Okay, you know what? I had this in the list because when I first started working from home, I would suddenly find myself in the pantry eating out of a bag of chips, whenever I was thinking about a hard problem or procrastinating a task. Scheduled eating helped me avoid doing that (e.g. lunch at noon, snack at 3). But, right now, forget it, we have enough to worry about. Eat the bag of chips.
Use your camera Seeing other people’s faces helps me connect with them and lets them better connect with me. When working from home, seeing others allows you to gauge non-verbal cues, better read emotions, and empathize with the people with whom you’re speaking. I’m not a huge fan of my on-camera appearance, but a couple of improvements I’ve made when I can: use soft, head-on lighting, and position your camera slightly above your head, so it’s aiming down at you. If I’m on my laptop, this means I may set my laptop on a stack of books during the call, so the laptop camera is just above my forehead. Very slimming! 🙂
Socialize We’ve started doing happy hours or tea time to stay connected. This is a great way to add social activities that occur during work back to your day and ensure that your work relationships stay/become friendships. It’s also a good way to commiserate and feel less isolated and alone while on quarantine.
Start and end your day (or find the rhythm that works for you) Some of you might find that you’re not commuting in the morning for the first time. Rather than devoting that extra time to more work, take the time to have breakfast, hang out with your kids, take the dog for a walk, whatever it is that allows you to contribute to your wellbeing before starting on work. I’ve also found that it’s sometimes hard to stop working at night, since there’s no commute to indicate your day is complete. Try adding in something to demarcate the end of the day – could be a walk, could be as simple as closing your laptop at a certain time. I will tend to change rooms to whatever room my kids are in, which always stops any progress on work! You can also take advantage of working from home to change up your schedule. If you want to spend a few hours with your kids in the afternoon, then hop back on your laptop at night, that’s an option that’s easier to accomplish when your working environment is also your home.
Don’t stress too much (easier said than done, I know) Without the microinteractions and hallway conversations that occur during the day, it can be easy to feel isolated and have nagging doubts about your ability, your relationships, and your work. First, that is normal and no one is thinking whatever terrible thing you think they’re thinking (probably.) Second, everyone is in a similar boat now, so all of your colleagues, vendors, customers are feeling more fragile than they were before. At the end of the day, we’re doing great just by getting by. Go easy on yourself. Take care of yourself and each other.
Marla Hay
Sr. Director Product Management – Privacy & Data Governance
Salesforce
Don’t Launch the ABAC Ship Without Stewards Onboard
The promise of attribute-based access control (ABAC) is positively mesmerizing. Most IAM products can assign access based on roles and rules built on user data. Training usually provides simplistic, easy to follow use cases. Business analysts can quickly analyze data and sort out use cases for automation which should improve security, lower overhead, and enable the business. While this all sounds great, and is great, a lot of online and product documentation leaves out a key component – data stewardship. If the departments that own the data don’t know how it is being used, and agree to it, side effects of automation may ensue leaving users without the access they need, and the IAM, Sec Admin, Access Admin groups in SOS mode. Here is a cheat sheet that lays out definitions, benefits, and potential “gotchas” organizations should be aware of before launching their ABAC initiative.
Data Requirements for Implementing Attribute Based Access Control (ABAC)
Data Stewards – responsible for each data element used in ABAC
Data Integrity – with established accuracy and completeness thresholds
Understanding of Use – and acceptance of the use of the data by the data owner and provider
Data Protection – changes to data objects and available data values must be governed,
controlled, documented and communicated
ABAC Benefits
Automation for access decisions and provisioning based on data – business enablement
Ability to map data to business roles to access in systems and applications
Improved security posture and better housekeeping
Bundling of access into roles
ABAC Concerns
Missing or incomplete data requires fallback to default logic for error handling
Timing – data may change for a worker before or after the true date when action should be
applied to worker accounts
Point of failure when logic is dependent on specific data values that can change based on
Finance, HR, Org changes – such as or Cost Center or Org Name changes
Potential for changes to large numbers of worker records simultaneously
Retesting – Upstream changes require updates to IAM system and retesting
Finance and organization data changes may not be communicated to IT and identity teams in
advance, resulting in downtime or fallback to default logic
Funnily enough, a quick Internet search for “RBAC is dead” will reveal a trove of articles on the rise of ABAC.
James Dodds
IDPro Editorial Committee
A Look Back at GDPR and A Look Forward to CCPA and LGPD
What can we learn from GDPR (the General Data Privacy Regulation) about how to manage privacy legislation? What does impending privacy regulation like CCPA (the California Consumer Privacy Act) or LGPD (Lei Geral de Proteção de Dados, Brazil’s personal data protection law) mean for the privacy landscape in general? How can we future-proof our privacy practices to move beyond prepping for the next set of rules?
GDPR is now a year and a half old! I will always remember the day GDPR was born, as it was preceded by 800 companies I don’t remember ever interacting with sending me emails asking me to approve their updated privacy policy. It also marks the era of cookie notifications on every website, each of which with an “accept” button but no “decline” button. It’s the same behavior as when I’m offered cookies at my mom’s house, so I’m actually pretty used to it. You’re gonna accept these cookies and you’re going to love them!
Seriously, though, GDPR is a positive step. It is a major legislative piece that tackles the issues of data rights and consent for a big group of people and it represents that people are demanding more control over their data. This can feel daunting for marketing teams, who have to make sense of all of these rules and may feel like they are losing their ability to generate leads. And that can be true in the short term – but the effect in the long term is that companies will start to have more genuine relationships with those who remain, and the ability to really develop a trusted relationship with those customers results in greater customer loyalty and a higher lifetime value. But, before we get into that – let’s take a look back at GDPR over the last year and a half.
So what’s happened?
In the first year:
280,000+ cases
144,000+ complaints
89,000+ data breach notifications
90+ fines
56,000,000 Euros in fines
To date:
200+ fines
460,000,000 Euros in fines
(Reference: https://enforcementtracker.com/)
As a reminder, the GDPR gives national watchdogs extensive powers to investigate privacy breaches and to hand down fines of up to 20 million euros (around $22.4 million USD) or 4 percent of a company’s global annual turnover, whichever is greater.
More than 280,000 “cases” were reported in 27 european economic area countries in the first year of the GDPR. Of these, around 144,000 were “complaints” (e.g. improper data processing), as opposed to 89,000 that were data breaches (i.e. insufficient measures to secure data).
As of this writing, the top complaint category is insufficient legal basis for data processing, by almost twice the number of fines of any other category. In total, 460 million euros in fines have been levied (which is more than four times the amount of fines just six months ago!)
This sounds like a significant number, but it turns out that more than 400 million of that is British Airways, Marriott, and Google. British Airways and Marriott were fined around 200 million and 110 million, respectively, for insufficient technical and organisational measures to ensure information security, and Google was fined 50 million by CNIL [ke-nil] (France’s privacy regulatory body, the Commission Nationale de L’Informatique et des Libertés) for failing to inform users adequately about its use of their personal data and failing to seek “valid legal consent” from users to personalize ads.
Now, that leaves 60M euros over 200 fines levied, and some of you might be thinking to yourself – okay, 300,000 Euros, and only 200 organizations have been fined. Maybe there’s a risk discussion we need to have before investing any further in privacy. But, don’t get too comfortable, because it turns out regulators aren’t letting things slide, they’re just really, really busy. As DLA Piper research puts it:
“Regulators are stretched and have a large backlog of notified breaches in their inboxes. [T]he larger headline grabbing breaches have taken priority …, so many organizations are still waiting to hear from regulators whether any action will be taken against them …”
which means that, as Giles Watkins, IAPP Country Leader for the UK explains:
“… I sense that there is only a limited time for organizations to put their houses in order before the commissioner does revert to the enhanced penalty regime, with potential enforcement actions perhaps being even more significant to businesses than the monetary fines” – Giles Watkins, IAPP Country Leader, UK
Okay, great, so we really do have to care about this. But . . that’s not all. We don’t just have GDPR to worry about: every country and their mom are coming out with a privacy regulation. Are we going to be living a GDPR Groundhog Day for the rest of our lives?
Not necessarily – but first, let’s talk a little bit about what’s definitely maybe coming and how these regulations overlap.
The next big regulation to hit the scene this year is the California Consumer Privacy Act, the CCPA. This law has been called GDPR-lite or the California GDPR, which I think just means it’s privacy regulations with some avocados on it? I kid. In all seriousness, though, there are some differences between the two, which we can take a quick pass through.
Both regulations require transparency or audibility of operations. Both require maintaining a data privacy notice, policies and procedures for obtaining consent. However, the CCPA notice
requirements on personal information disclosed or sold to third parties only covers the 12 months preceding the request
CCPA is specific about the ability to opt-out of the sale of personal information to third parties as well as protecting those users from price or usability discrimination, while GDPR is not as explicit about that particular scenario.
CCPA 1798.115 (d) A third party shall not sell personal information about a consumer that has been sold to the third party by a business unless the consumer has received explicit notice and is provided an opportunity to exercise the right to opt-out pursuant to Section 1798.120.
The high level take away from this comparison, is that we should expect to have to grant users the right to manage their data in a variety of capacities. So, what does this look like when we add in LGPD?
The high level take away from this comparison is that we should expect to have to grant users the right to manage their data in a variety of capacities. So, what does this look like when we add in LGPD, another major privacy legislation to appear post-GDPR?
The LGPD is very similar to GDPR in terms of personal data rights and protections – in each of the major categories we examined for GDPR, LGPD follows suit exactly. There are some minor differences with the LGPD. For example, LGPD does not differentiate anonymous data from pseudonymous data. When the difference between those categories is related to risks of re-identification of the data subject, the Brazilian law does not relax legal obligations for controllers that employ pseudonymisation techniques when compared to the EU regulation. But, on the whole, similar data strategies and rights considerations can be employed between the two.
So what are we going to do? To hit the overarching themes and impetus behind the regulation, every organization should do three things:
Understand your customer data
Make it easy (ish) to manage
Give control to your customers
In order to understand your data, you need to:
Catalog your data: What data do you have? Where is it stored? Why do you have it/how is it used?
Know who can see your data: Who can access your data? To which third parties do you share/sell data and what data do you share/sell?
Assess your risk: What is the sensitivity of each piece of data?
In order to manage your data you need to:
Minimize Data: Determine what data is needed and what isn’t – delete data you don’t need, anonymize data you don’t need to tie back to an individual
Data Retention: Based on your catalog decide how long you need each piece of data and implement process around retention and disposal of data
Data subject processes: Make it as easy as possible to respond to requests like: portability, vendor sharing/selling, deletion, processing by having APIs or processes in place with each data owner
Review/Enhance Security: Protect data from unauthorized access, use classification to drive access
Finally, giving control to your customers means:
Transparency: Show your customers how you’re using their data and with whom it’s shared/sold. Give them the ability to revoke those purposes or third party access
Data Access Rights: Give your customers the ability to exercise data rights like portability, restriction of processing, right to be forgotten. The more automated, the better.
Consent and Preferences: Give your customers the ability to opt into or out of data uses (as much as is possible) and establish their own preferences for communication and data use.
Doing this will not only keep regulators happy and your organization off the fine list, it will also create a trusted, transparent relationship between organizations and the data subjects whose data they are stewarding, which means these regulations, if handled well, can be a win-win for both organizations and customers, consumer, and all data subjects.
Marla Hay
Sr. Director
Product Management – Privacy & Data Governance
Salesforce
Evaluating 2FA in the Era of Security Panic Theater
It seems like today’s world offers constant reminders of how insecure our digital lives can be. As a security professional, part of my job is to monitor for threats to my company and the organizations with which I have a relationship. A significant part of that effort lies in assessing how likely or realistic those threats are. If you believed every infosec vulnerability headline you see come across twitter, it would be easy to feel somewhat like chicken little, with the sky ever falling. I’ve actually coined a term for this phenomenon (though I’m not sure if I actually originated it, but Google seems to think so): Security Panic Theater.
If this term sounds mildly familiar, it is because of its proximity to the phrase ‘security theater’. We experience this pretty regularly whenever we attend a major sporting event like the World Series and we have to go through long lines where people wave a wand over us to ensure my keychain knife doesn’t get admitted to the stadium. This takes place even though the track record of seizing weapons that would matter is pretty poor. But the mere act of this experience makes patrons feel safer. This is even worse when we travel and pass through TSA’s gauntlet of screeners. Consistent penetration tests reveal a woeful rate of actually detecting items that could cause us harm while we are in flight. To add to the insult of this process, there is a comic reality with what actually is seized. I’ll let comedian Steve Hofstetter explain:
If you bring too much liquid, the TSA confiscates it and throws it away, in case it’s a bomb. So they throw it away. In case it’s a bomb. In the garbage can, right next to them. With all the other possible bombs. In the area with the most amount of people.
In case it’s a bomb.
Security Panic Theater (SPT) is a bit of a different experience. The process for SPT goes something like this:
Vulnerability/breach announced regarding a product or control (x) [Security]
+ Inflammatory internet headline(s) regarding (x) [Panic], which leads to the conclusion:
Product or Control (x) is useless/defeated [Theater]
A relatively recent example of this was the release of a penetration testing toolkit by Polish researcher Piotr Duszyński named Modlishka, which loosely translates in English to Mantis. The central feature of this toolkit was the use of a reverse proxy that could accelerate a phishing flow by sending a user to a spoofed URL, but the rest of the web experience was as the user expected. This enabled a man-in-the-middle (MITM) attack to capture both the credential and the SMS code being used by the user.
The significance of this new framework didn’t lie with the fact that you could now phish any 2FA method that used OTPs. What made this release notable was that it was now significantly easier to accelerate the phishing flow because you didn’t have to spin up a fake site. A reverse proxy would do the work for you. To be clear, that is certainly noteworthy, but also not new.
However, to hear the twitterverse and online media outlets talk about it, you’d think all our credentials, even if protected by 2FA, were suddenly moments away from being captured by hackers. Now, to be fair, there are some responsible journalists who try to treat these topics fairly, but even a sane article can often be overridden by a clickbait title like “Is 2FA Dead?”
Let’s get a few basics clear for the sake of sanity & clarity:
2FA can’t be killed . It isn’t a combination of factors for authentication, not a single technology or pattern. The last few years alone have had a litany of episodes where a particular technology may be at risk (often temporarily, or misleadingly so), such as:
RSA tokens were allegedly cracked (mostly not true)
SS7 flaw will drain all your bank accounts (true, but hard to implement)
NIST Killed SMS 2FA (sort of, but not really)
Modlishka makes SMS useless (sort of, but not really)
Google Security keys have Bluetooth flaw (recall for some, not all)
Yubikey FIPS keys flawed (recall for some, not all)
Apple promoted modifications to SMS 2FA for improved anti-phishing strength & joined FIDO’s board.
2FA implementation in Iowa Caucus renders app nearly unusable
Notice the trend here? While there is some truth for most of these from a vulnerability perspective, the reality is that these technologies still work to protect your credentials. Apple’s recent announcement has its own debate worth talking about (and has been on IDPro’s Slack site) and the debacle in Iowa shows that any technology is a dumpster fire waiting to happen if its implementation is designed poorly.
The diversity of the 2FA landscape makes it stronger, not more vulnerable.
Let’s take a look at the following categories of authentication:
Pretty diverse to be killed with a single vulnerability, I would think! Now let’s overlay which ones have at least one known vulnerability:
If we look at all the ones in red, that would be pretty disheartening to the casual observer. That’s where journalists and analysts need to take special care in talking about vulnerabilities. The real story doesn’t fit neatly into a simple headline regarding the vitality of the authentication landscape.
All methods of 2FA are still incredibly effective (some more than others)
Google published a study of some internal findings on various methods used to secure their public credentials. Yes, SMS should be the low hanging fruit of 2FA but guess what, even this well-beaten pinata of 2FA stopped 76% of targeted attacks and nearly 100% of automated & bulk phishing attacks!
Microsoft recently published some numbers to similar effect, that the risk of account compromise is reduced by 99% using multi-factor authentication (MFA). I’d say 2FA is far from dead in that context.
Yes, we should get rid of the 2 in 2FA, long live MFA
The biggest reason for this is that users can be more secure, and less inconvenienced when they have access to multiple ways of authenticating instead of one token combined with a password that can be lost, or a phone that can be upgraded and lock a user out. Without promoting one vendor, I can say thoughtfully that I have several methods to secure my key accounts and that diversity of options, I believe, is the key to giving our users the power of choice as to how they want to login. That power is how we eventually do reduce passwords to an edge use case. The key is that more sites need to support those methods to incentivize adoption. We’re not there yet, but the last few years show a lot of promise in eventually achieving that goal.
The reality is, even the coolest methods of authentication will eventually find a vulnerability. History proves this. But we don’t throw the baby out with the bathwater when those are discovered. We fix it, learn from it, and stay secure. Let’s leave the theater to the actors, where it belongs.
Identiverse officially kicks-off this week and is an important event for IDPro, not only because IDPro was launched at Identiverse in 2017, but also because both organizations share a mutual goal of providing resources to digital identity professionals.
“A terrific example of this was the standing-room-only experience in the Introduction to Identity sessions held at last year’s conference in Washington D.C. IDPro helps enhance the overall experience for attendees at the conference and, in exchange, we get a terrific canvas upon which to share our mission to ‘globally foster ethics and excellence in the practice and profession of digital identity’, engage our members and stakeholders (and hopefully future members), and share our progress as an organization.” – Lance Peterman, IDPro treasurer and board member
This year, due to restrictions from the COVID-19 pandemic, Identiverse will be held virtually as a series of webinars timed to accommodate a global audience. Most presentations will offer a live Q&A and will also be available on-demand. This month, IDPro members will be presenting the following topics at Identiverse:
10 years ago no one was interested in the notion of “digital identity”. You had accounts and passwords and it was an irritating administrative function to manage all those accounts for customers, citizens and humans in general. In the last two years the war for the hearts, minds and wallets attached to a humans’ digital identity have set the stage for open warfare in 2020 and beyond by organizations and industries that see that value in being the creator and manager of a digital identity standard. What does it mean for the US and the world when champions for SSI and banks and payment processors and social media and governments and healthcare networks are all racing to create an operationally sustainable unique digital identity? Will there be tensions and challenges between these different actors when it comes time to recognize the credibility and authenticity of each other’s standards? Richard Bird regularly spends time across 5 continents working with governments and large companies, navigating the complexities of the rising interest and demand for true digital identities. He’ll share his observations in an effort to prepare you for the disruption this will create in our practices, designs and architectures for security, privacy and consumer and citizen rights.
As Digital Identity technologists, we’re used to rolling our eyes at onerous (and downright unfriendly) user experiences. But we know our SMS OTPs from our TOTPs. We’re experts at navigating complex password policies, for registration and resets. We know when to share our biometric and other sensitive data, and when to be more cautious. But spare a thought for the average user. They’re often described as the weakest link in security. We shouldn’t be blaming them. They’re bemused, confused, and sometimes livid about the hoops we make them jump through. This session will take you on an amusing and honest appraisal of Digital Identity Experience from the end user’s perspective, in their own words. Build empathy to connect with their problems by walking a mile in their shoes. We will cover user registration, authentication, password reset, account recovery and more. I’ll present a ToDo List for improving user experience, based on current industry recommendations. We owe it to society to protect end users and their data, and build trust. Cost-effective and user-friendly identity experiences are the ultimate goal. So let’s reflect on our shortcomings and get serious about improving the status quo!
As the industry iterates beyond simple cloud deployments, application & identity architects confront new challenges in deploying and managing complex application instances which span the globe across multiple provider regions. Rapid failover from one region to another is a critical component for these distributed applications- but did you know how much your cloud DNS service and DNS architecture impact the speed that traffic can be rerouted from one region to another? In this talk, Jon Lehtinen shares his experiences testing several DNS architectures, and highlights how different resolution methods, failover policies, and other seemingly inconsequential components greatly impact how instantaneous- or not- your failover can be.
The future of the standards and services we build is unwritten. We are curious about the future because we shape it. But from the works of our hands to a world 10 years hence is an unknown path. In this talk, Mr. Glazer will discuss what the future of identity could look like in 5 to 10 years: * What previous predictions about identity’s future got right and wrong * Where standards adoption will be * How associated technologies will impact our industry * What a discontinuous future might look like
Verizon Media reaches over one billion people around the world with a dynamic house of 50+ media and technology brands. After acquiring AOL and Yahoo’s businesses, the company now employs about 10,000 people. However, extensive firewalls made it difficult to collaborate across the newly merged entities in an increasingly cloud-first environment. This presentation will discuss how they enabled authentication in a zero trust environment by following the principles of least privilege. By federating identities and creating consolidated identity views, allowing over 1,000 applications to authenticate and get complete user profiles without any changes or customization to the applications.
In an attempt to protect users from excessive tracking and surveillance, the last couple of years have witnessed major browser vendors introducing increasingly restrictive anti-tracking measures. Identity protocols and features got caught in the crossfire, however, forcing identity software vendors and developers to hastily introduce changes to restore functionality that browser changes broke. Is this the new normal? What will we do when a change will break an identity feature beyond repair? This session will review the main browser changes that have affected identity over the last few years – Chrome’s SameSite and Safari’s ITP2 in particular, interpreting them as part of a larger trend and attempting to predict what the future will look like for identity customers and practitioners.
Digital signatures on HTTP messages? That aren’t broken by proxies, or TLS terminators, or gateways that reorder the headers just for fun? That’s exactly what you get with HTTP Message Signatures. This session dives into what they are, how they work, and how they can augment or replace existing API protection mechanisms such as bearer access tokens and cookies.
The idea of “fine grained authorization” has been around for several years now. Twenty years ago, there was a proposed standard, XACML that was focused on these fine grained decisions, and a language that could express the underlying policies. However, it never gained widespread acceptance. There is also a problem that the line between fine grained authorization, and business logic is a very hazy line. As consent and user managed access controls become more widespread, so the line between business logic and policy becomes even more blurred. I will talk about some of the reasons for the low acceptance of fine grained policy, as well as examining how the hazy line can be more easily defined. I will also address techniques that can be used to bring these different needs closer together.
Organizations going through digital transformation need to manage and secure the identities of users beyond their organizational boundaries, including partners, customers, and citizens. They want a single solution that that is user-centric and flexible, secure, and scalable enough to support global users authenticating with any kind of identity, that doesn’t require deployment of multiple disconnected…read more »
You own and control your thoughts, your words and your actions. But in a modern society that’s intent on verifying everything in the midst of a global crisis like the COVID-19 pandemic, where your movements impact the health of others, what do you really control? Join Esther Dyson and Andre Durand as they explore this topic in a thought-provoking conversation.
Customer identity professionals speak in terms like IdPs, SPs and OIDC. Business leaders understand terms like customer acquisition, revenue, and customer lifetime value. This disconnect can make it difficult to convey the value customer identity investments can provide and get the resources you need. Join us in this session as we walk through a sophisticated business value calculator that translates customer identity enhancements into the results they’ll drive for your business. We’ll show you how to take inputs from your business—like login and registration abandonment rates, average customer expenditure, and profit margins—and use them to calculate the effect various customer identity enhancements will have. We’ll show example use cases from several industries and give you the opportunity to input numbers from your own enterprise to see what effect customer identity will have on your business. This session will arm you with a powerful conversation to have with your business that will convey the value of customer identity and raise your status within your organization.
Modern identity promises to solve some of the thorniest problems that historically plagued handling authentication and access control in applications. That sounds great in theory, but how do things really look when the rubber hits the road – what does it take to incorporate modern identity in your applications development practice? Come to this session to learn the basis of modern identity development and be better equipped to understand and participate to more advanced developer themed sessions, at Identiverse and beyond.
Speaker/s: Vittorio Bertocci
View the full Identiverse agenda here and register to attend . Also, join the IDPro Identiverse slack channel to discuss hot topics and network with digital identity professionals. If you need an invite, or if you’re not receiving the email list messages, contact membership@idpro.org. Stay tuned for more information Follow IDPro and Identiverse on Twitter for updates. There may be some surprise speakers planned, as well as some virtual social events (still to be announced). If you’ve never attended Identiverse in-person before, this is a great opportunity to learn from some of the best identity practitioners. We hope to “see” you at Identiverse!
There are many ways to skin the high-availability cat using AWS’s Route53 DNS service. Here are some test results from my quest to get as close to instantaneous regional failover as possible.
I have spent the last couple weeks thinking on how fast I can get Route53 to failover from one region to another, and how narrow I can get the window of “page not found” type errors that a user was to see during the fail over time. I care about this because during the last couple of years I have architected, built, launched, and now run an SSO deployment that spans three regions. It is functionally an IDaaS service built on AWS and COTS identity software (PingFederate). Here is my presentation on that service at the 2019 Identiverse conference for more details.
The salient bits that involve Route53 and my desire to optimize failover stem from the following:
Unlike some IDaaS providers, sessions are generated and respected by every node in the global cluster. Though the global super cluster is composed of regional subclusters in AMERS, EMEA, and ASPAC regions, all nodes respect all sessions generated by all the other nodes/subclusters.
Each regional subcluster can validate state through consensus amongst nodes for certain read-only transactions. Thus, for the best user experience, we want to keep users routed to the regional cluster closest to them so those read-only transactions can be validated in the regional subcluster rather than having to wait for the global cluster to achieve consensus on the state.
If a region is lost, the session state can be redistributed amongst the remaining nodes in the other regions. The user experience of that failover is what I am looking to fully understand with this test.
Test Setup
I setup apache servers in three regions, US-East-1, EU-West-1, and AP-Southeast-1, and configured them to show a simple homepage that displayed their region name.
I then placed each one behind a load balancer for ease of having a consistent DNS name to route to for my tests since I didn’t want to bother setting up VPCs and subnets with publicly accessible DNS names in three regions. I would use those DNS name in order to map a vanity url, sso.redbeardidentity.com, across various Route53 routing policies. This way, as I took each of the three nodes down, I could easily see which of the three nodes were serving the page.
I also built a simple bash script that would curl sso.redbeardidentity.com every 1 second, and grep and display the header. This gave me something that wouldn’t require me to refresh an incognito browser that I could use to observe failover. I then built out some Route53 policies and started turning apache servers off and on.
Health Checks, TTL, & ALBs v. NLBs
Out of the gate, there are a few very major items that can be tuned to improve failover performance without dipping into any Route53 architecture, mainly TTL and health check frequency. TTL (time to live) determines how long the DNS resolver is supposed to keep the DNS query cached before doing another one. By default, AWS Route53 record sets have a TTL of 300s, which are probably fine for most purposes. However, when you are staring at a stopwatch waiting for your script to flip from “US EAST 1” to “EU WEST 1”, those 300s feel like an eternity. In preliminary testing, the speed of failover correlated with a shortened TTL. For all my tests, I dialed the TTL down to 1s. To be honest, I am not certain the implications of this outside of every call to the service requiring a DNS lookup along the way- but since the goal is to make sure that things failover as fast as possible, and that the larger TTL values slowed those failovers, I concluded that the tradeoff was worth it.
The next major thing that will impact failover performance is the count and interval between each Route53 health check. These are found under the Advanced Configuration options when configuring a health check.
Leaving the failure thresholds and request intervals at their defaults guarantees at least 90s before any health check-based routing policy takes effect. For the tests below I dialed this down to a failure threshold of 1, and a fast 10s request interval.
Finally, and something that initially confounded my results after a few days worth of testing is the difference between Application Load Balancers and Network Load Balancers to failover performance. I’ll leave it to Amazon to explain the distinction, but the short answer is that ALBs operate at an application layer (layer 7 in the OSI model) and NLBs operate at the transport layer (layer 4). It turned out that setting up ALBs in front of the apaches measurably impacted failover performance compared to NLBs, so pick NLBs if performance is king.
So let’s start looking at what kind of policies we can play with in Route53 and how they compare.
Latency Routing + Nested Failovers
This design starts with latency routing to point the requestor to the region with the best performance for them, and after that uses a series of cascading primary/secondary failover policies to route the requestor to the endpoints. Each region’s primary route maps to the DNS of the ALB in front of that region’s cluster. The first failure routes to a second Route53 alias, which itself is then mapped to a second primary/secondary failover policy. That failover’s primary route maps to the DNS of a second region’s ALB, and its failure to the DNS of the third region’s ALB. As such, each region has hard-coded primary, secondary, and tertiary routes to hit the cluster, and some care must be taken that the secondary and tertiary routes make sense based on the regions used by your design. This could scale up to as many regions as needed, at the cost of a significant number of Route53 objects.
We can reuse the health checks at each ALB for decision points further up the routing policy since the decisions are ultimately based on the health of the targets behind those ALBs. Here we built the AMERS side of the routing tree and attached health checks to the Primary Failover routing aliases, as well as all three Latency aliases.
We fire up the testing script and start grepping. As expected we see sso.redbeardidentity.com getting served by US-East-1. Once we shut it off we see the expected “Bad Gateway” error as the ALB responds with no valid targets.
But then, “Bad Gateway” doesn’t switch to EU-West-1. Instead, we can no longer resolve sso.redbeardidentity.com at all.
So what happened? Well, it worked exactly as we told it to. When using the failover design, applying health checks at the latency routing layer broke the additional routing policy applied beneath it- or that is to say, it made it entirely redundant. This makes sense since Route53 evaluates the health of the sso.redbeardidentity.com -> sso.amers.redbeardidentity.com leg, finds it unhealthy, and instead sends the traffic to the next best alias based on latency based on my point of origination- which looks like EU-West-1 from my mid-Atlantic origination point. Since I didn’t bother building the EMEA routing tree as part of this exercise, it didn’t switch to EU-West-1 once the latency layer switched to from sso.amers.redbeardidentity.com to sso.emea.redbeardidentity.com. Dropping the health checks at that layer allows the next leg down on the AMERS routing tree to be evaluated.
And if we kill httpd on EU-West-1, we failover to AP-Southeast-1.
So let’s build out the rest of routing trees in EMEA and ASPAC regions and test our assumptions that the failovers will work as we expect. After mapping all the aliases, here is what I have in Route53:
I added a health check to the sso.redbeardidentity.com -> sso.amers.redbeardidentity.com latency routing layer to force me to fail to EMEA routing tree.
With US-East-1 down, I should show sso.redbeardidentity.com resolving to EU-West-1-
And then fail to AP-Southeast-1 when I shutdown EU-West-1.
Shutting down AP-Southeast-1 results in a failure to resolve sso.redbeardidentity.com as long as the US-East-1 latency health check keeps me in the EU-West-1 routing tree.
As nice as it is to predictably fail to a given region with the primary/secondary/tertiary routing available with this design, the variability of failover performance at the latency layer is a huge drawback. Under the best of conditions, with Network Load Balancers as the endpoints, failing from AMERS to EMEA took 25s, and EMEA to ASPAC 23s. Using ALBs, the failovers took 50s from AMERS to EMEA and 45s EMEA to ASPAC. However, the lack of health checks required to use this configuration means you are at the mercy of Route53’s next latency calculation. For every test that took seconds to failover, there was another that took minutes to do so, with some tests lasting over 10 minutes before failing over. That is a bit too much variability for me to consider this latency + nested failovers a serious contender for production design.
Latency Routing + Weighted Routing
What if we could accomplish the same outcome as the nested failovers using far fewer Route53 objects? Turns out weighted routing can do just that. This happens to be the configuration currently in use in the open-sourced branch of my AWS deployment of PingFederate.
In a traditional weighted routing configuration, you set weights for each alias, and the requests are sent proportionally to the weight given to each alias. This isn’t a percentage calculation. For example, if you had three nodes that you wanted to serve traffic behind sso.redbeardidentity.com, you would create three weighted record sets and map sso.redbeardidentity.com to each of their DNS names. If you assigned the first node a weight of 10, the second a weight of 100, and the third a weight of 33, it would mean that for 143 requests headed to sso.redbeardidentity.com (the total sum of all the weight values for the record sets), Route53 would route it so that first would handle 10/143, the second 100/143, and the third 33/143. This means we can assign an arbitrary weight to a recordset for our ALB and arrange that 100% of the traffic goes to that weighted alias. Place weighted policy behind a latency policy and Route53 will go back up to the latency routing tier to find the next available weighted policy capable of fulfilling the request- which means we have a much simpler method for multi-region failover.
For this, we are using Aliases to point the three regional latency routes to their corresponding regional weighted routes
It will look like this when you are done.
So once again, we start hitting sso.redbeardidentity.com to see which node fulfills the request. We start with US-East-1. Given our 1s TTL and 10s/1-strike health check, hopefully, we should hop to EU-West-1 in about 15s assuming EU-West-1 remains the next best latency experience from my mid-Atlantic point of origination.
Fifty seconds for failover is respectable, but not what I was hoping for. In other tests, I have seen the failover vary between 30 seconds to five minutes when using the generic “evaluate target health” option on the latency policy, which I suspect has to do with the timing of the failover and Route53 re-evaluating its regional latency. Rather than deal with that variability, we can instead just apply the health checks we use on the weighted policies on the latency policies to make the failover timeframe more predictable.
This configuration got the time down to 30 seconds. I think it’s because we lose control over the TTL when using aliases. If we switch the configuration to CNAMEs, set the TTL to 1s, and pair it with a 10s health check with a single failure threshold-
And run the test again, things should be good, right?
This wasn’t what I was expecting, because in the days of Route53 testing leading up to actually sitting down and writing out the results I had gotten the failover down to 17–24 seconds with a latency policy atop a weighted policy, using 10s health checks. I was prepared to just chalk it up part of using ephemeral, multi-tenant infrastructure is accepting that there will be some measure of variability in performance based on peak usage, behind-the-scenes maintenance, and other factors outside of your control. But that seemed like a cop-out the more I thought on it.
Then I remembered- I was using Application Load Balancers with these tests, and had used Network Load balancers when I saw the lower failover numbers. So let’s replace our ALBs with NLBs, and do the failover test as configured above:
The time to failover improved to 30s for AMERS to EMEA failover, and 25s for EMEA to ASPAC failover. Better, but is there room still for improvement? I reduced the number of health checker regions on the health checks to see if that would reduce the time to fail over at the latency layer.
It did not. So if the regional latency layer is where some of my problems are, maybe I should look into alternative routing strategies, like geolocation.
Geolocation + Nested Failovers
Geolocation allows you to point continent or country traffic to a given DNS alias. As I was already segmented into AMERS, EMEA, and ASPAC, I divided the seven continents plus the default location record set into those regions.
Whereas latency + weighted routing performs failover when a region is lost, I was not certain if the same would happen with geolocation routing. I attached the corresponding health checks for each NLB that would serve each region and ran a test- it would not failover. It looks like in order to use geolocation, we will need to break open the cascading failover routing trees again, giving us something that looks like this:
A non-trivial count of Route53 objects later and it is built.
But does it improve anything compared to the simpler arrangements? Using Network Load Balancers, which at this point have proved themselves the go-to if you value performance, I got an AMERS to EMEA failover of 17s and EMEA to ASPAC of 23s.
Whereas these are not the BEST ever numbers I have ever achieved from a battery of tests (there appears to be some variability in the Route53 service), they represent the best consistent failover numbers I have gotten from the tests I ran where all other controls were kept equal. As such, I have to call this one the winner overall.
Additional Thoughts
In all of the designs, the thing that introduces at least 10s of delay every time is waiting for a failed health check. Another design scenario I had considered was using Network Load Balancers pointed to elastic IP addresses which were assigned to other NLBs in peered VPCs. Assuming this were possible, it would let us use the much tighter health check values to add or drop regions much more quickly than what is available in Route53. I abandoned that test because using a NLB in that manner wouldn’t let us keep traffic constrained to a single region, which is one of the goals. Distributing a connection across various regions doesn’t net us any sort of performance benefits from regional sub clustering. So even if I got that arrangement to work, it would short circuit the entire point of the exercise. The limited amount of time I spent poking around the console trying to build something like that leads me to think it‘s not an option, and that if it were then it’s not going to be solved with just the features in EC2 and Route53.
I think this is about as tight as I am getting this through Route53, and given that the scenario under which we would observe those 17–23s of blip during the regional failover is if all the nodes in a given region are down, I suppose I must make peace with that being “good enough.” It isn’t as satisfying a conclusion as I had hoped for, but it was still a fun learning experience.
Jon Lehtinen
Thomson Reuters
Board Member, IDPro
Identiverse® has been IDPro’s ‘home’ event for the past few years and it is considered the identity industry conference for those “in the know.” The conference has always been a great opportunity to connect with identity professionals across the industry and share our experiences and knowledge on new standards, technologies, solutions and products, and more.
This year, for the first time in 11 years, the digital identity industry will not be able to meet in person at the event. But that will not stand in the way of our community continuing to support its members. Instead, Identiverse will be held as a series of webinars starting early June with presentations each week to accommodate a global audience. Most of the presentations will offer a live Q&A and will also be recorded and available on-demand.
This year, IDPro will be presenting the following topics at Identiverse:
IDPro Introduction to Identity (i) By: Stephen Hutchinson, Principal Cybersecurity Architect of GE Digital and founding member of IDPro
IDPro Introduction to Identity (ii) By: Stephen Hutchinson, Principal Cybersecurity Architect of GE Digital and founding member of IDPro
The Skills and Experiences of Identity Practitioners By: Pamela Dingle, Director of Identity Standards of Microsoft and Ian Glazer, VP of Identity Product Management for Salesforce and Founder and President of IDPro
A number of IDPro members had proposals accepted through the call for presentations and will also be speaking. You can review the complete Identiverse agenda here.
We look forward to connecting with you and in the meantime, we hope you will catch-up on past IDPro member presentations here.
The first edition of the Body of Knowledge (BoK is starting to come together with the help of topic shepherds assigned to the different sections to help manage content.
More authors for the different sections are needed, however, and the best authors in this space are identity practitioners! We’re looking for individuals willing to write material that will ultimately drive the IDPro Certification Program. Topics include the digital identity life cycle, different forms of access control, IAM and business processes, and more.
By being involved, you will help improve the identity ecosystem and have your name noted as an expert in the field. We are looking for submissions for this first edition and will begin the editorial work in April 2019.
You won’t be going this alone! There will be review cycles with the BoK committee and a professional editor to provide feedback and establish consistency of terminology across all submitted material. We are also using templates to help make sure that all the articles follow a similar style, with an eye towards making the final compendium easier to understand for the reader.
If you are interested in being a part of this effort, please reach out to info@idpro.org. If you want to make a contribution, even after the editorial phase starts, please reach out. There will still likely be an opportunity. We will work with you from there.
IDPro is a silver sponsor of KNOW 2019 and will have a booth on the show floor (come visit us!).
We & our member organization, Kantara Initiative, are helming a 3 hour workshop at KNOW oriented toward the Identity and access management early-stage professional who desires to augment their knowledge and understanding of all things identity, access management, consent, and privacy. Join us starting at 13:00 on Sunday, March 24th for the ‘Master Class: Building an Infinity Gauntlet’ with Sarah Squire, Steve “Hutch” Hutchinson, Colin Wallis, Catherine Schulten, Katherine Noall, Katryna Dow, & Salvatore D’Agostino.
Happy new year!
Since our inception, IDPro’s goal has been to develop and foster a community where digital identity professionals can learn more about issues and technologies related to their field, interact with other professionals across the globe, and engage in professional development.
A primary goal for the organization in 2019 will be to accelerate development of the IDPro Body of Knowledge (BoK) – our collection of curated articles, whitepapers, and resources that is destined to form the basis of a robust learning and – in time – certification program for the identity professional.
Volunteer efforts by members of IDPro and of the wider IAM community around the world are already in progress and will take us a long way towards our goal.
But to deliver a robust set of materials at the high level of quality to which we aspire, we need to get some extra help — professional project management and editorial resources — and for that, we need additional, dedicated funds.
To that end, this spring at the RSA Conference 2019 in San Francisco, IDPro will be hosting a social event for identity and access management professionals to connect with each other, exchange best practices, tell identity jokes, etc. This event will also serve as a fundraiser for the IDPro BoK – The funds contributed in support of our BoK Bash will be split between hosting the social gatherings and supporting the development of the BoK.
All contributors to this event – whether existing IDPro members or not – will receive the following benefits:
Prominent branding as a co-host of the event, in all print and social media promotions and collateral
Permanent acknowledgement as a founding supporter of the IDPro Body of Knowledge
A list of those attendees who have opted in for information sharing
Our gratitude for your support and a special thank you gift (to be determined).
We welcome contributions from organizations in any amount and propose the following for your consideration:
Platinum Sponsorship: $25,000
Gold Sponsorship: $15,000
Silver Sponsorship: $10,000
Bronze Sponsorship: $5,000
Our goal is to raise a total of $100,000 – any contribution you can make will be welcome.
Here’s to a healthy happy 2019, amazing progress on the Body of Knowledge, and your ongoing support!
Sincerely,
i
PS: I’m sure you further questions and so… here’s a handy FAQ.
What type of event will the Bash be?
Currently the ‘event’ is scoped as a two-day morning coffee (Tuesday and Wednesday) gathering, where IDpro members and guests will have an opportunity to meet, sync schedules and interests, and reconnect after a full day of sessions to compare notes. This is subject to change based on venue availability. Another option is an evening social event/activity such as an escape room and reception.
When will we know if the event will be a go (i.e.viable)?
We will inform all sponsors by February 12, 2019 (or one week earlier?) if we have sufficient interest for this event. Any funds committed will not be accessed until the event has reached minimum viability.
What do sponsors receive?
In addition to the benefits outlined above, Platinum sponsors will be able to place collateral on a tabletop and have their logo(s) printed on promotional items/giveaways.
What should sponsors provide?
A responsive primary point of contact, as the timeframe between soliciting sponsorships and the event itself is short.
High resolution logos and company boilerplate
Marketing contact (as desired)
Will you limit the number of sponsors?
We have a limited number of opportunities for the Platinum sponsorship but have no limits for the other sponsorship levels.
A day past the closing of Identiverse (née Cloud Identity Summit) 2018 and IDPro, is already in the news! More to come from us about what we shared and what we learned from this event but in the meantime, read a bit more about developing identity professionals with us and founding member, Olaf Grewe.
Expo: For the first time, we’ll have a table (#429) at Identiverse in the Expo along with other industry partners.
Stop by to:
Meet with board members (primarily at the welcome reception on Sunday night – 5-7pm, breakfast and lunch)
Pick up an IDPro member table-top sign – For members exhibiting at Identiverse or who will be exhibiting at other events
Get your IDPro ribbon for your badge
Grab some IDPro swag – stickers, buttons
Take a quick break, meet other IDPro members, & recharge your devices.
HAPPY HOUR: IDPro and one of our members, Omada, will be hosting a happy hour on Monday, June 25th at the SideBar in the Sheraton Boston Hotel (39 Dalton St.) from 7:15 – 8:15pm. First drink is on us! Please RSVP with Omada or stop by the expo table to register we can ensure adequate accommodations.
Social Media: Be sure to follow @idpro_org and tag things that you find interesting to #idproTips
Sessions and Workshops
Day
Time
Location
Speaker
Title
Monday
9:30 – 11:05am & 2:00 – 3:35pm
Managers, Steve Hutchinson & Allan Foster
IOT and ID professionals Track
Monday
10:40 – 11:05am
Room 312
Allan Foster
Data Toxicity
Monday
1:15-1:45pm
Ballroom
Andrew Hindle & Ian Glazer
Our Secret Strengths: The Skills of an Identity Professional
Tuesday
9:30 – 9:55am
Room 311
Lance Peterman
Revisiting Privileged Access in Today’s Threat Landscape
Tuesday
10:05 – 10:30am
Room 311
Sarah Squire
I’m sorry Dave, I’m afraid I can’t do that: a harm reduction plan for cloud applications
Wednesday
9:30 – 9:55am
Room 310
Lance Peterman
A Digital Identity Journey in the Life Sciences: Through the Horse’s Ears
Wednesday
4:00 – 4:25pm
Room 312
George Dobbs
Recognizing Customers at a Distance: An Industrial Age Company’s Journey Toward Trusted Identity
Wednesday
2:25 – 2:50pm
Room 304
Sarah Squire
Masterclass: Access Management Verifies Enterprise Mobility Management Status of Mobile Device
Wednesday
4:00 – 4:25pm
Room 304
Sarah Squire
Masterclass: Delegation of Access Management and Trust Elevation for Privileged Access
Wednesday
4:30 – 4:55pm
Room 304
Sarah Squire
Masterclass: Access Management checks for Cloud Access Security Broker
And check out the Identity Professionals Track. Monday, June 25th – Room 304
Start Time
End Time
Speakers
Title
09:30
09:55
Jon Lehtinen
Going from Strategy to Execution in Your Enterprise Identity Transformation
10:05
10:30
Dave Shields
Don’t Hire an IAM Engineer, Make One!
10:40
11:05
Johannes Müller, Olaf Grewe
Moving Identity Talent Development Beyond the Basics
11:15
11:40
Heidi Wachs, Josh Alexander
Panel: Hot Potato – Should Identity Professionals Own Security?
14:00
14:25
Grant Reveal
SSO as both a Security AND Business tool
14:35
15:00
Todd Rossin
Best Practices for IAM Assessments, Blueprints & Roadmaps
15:10
15:35
Arnoldo Mullers, Paul Bedi
Similarity Cracks the Code on Black Box AI with Explainable Machine Learning in Identity Management
Before I talk about what IDPro has accomplished this year and where we are headed in 2018, I simply want to say, “Thank you.” Thank you for supporting each other through engaging discussions on the email list and in Slack. Thank you for meeting each other at events around the world and at your local meetups. Thank you for spreading the word about us. Thank you, for without your support there would be no home for the identity professional. Thank you.
I simply cannot believe that it’s only been 6 months since IDPro was launched. In that time we have:
collaborated with one another on the listserv as well as in Slack. By the way, I am thrilled to see the number of Slack channels grow – we have nearly 20. I am also glad to see the good natured conversations we are having there: supportive, informative, and slightly irreverent – #random I’m looking at you
released our first newsletter and with that a huge thanks to Catherine for writing our first article and a huge thanks to the Editorial Committee for building the newsletter process
So what does 2018 have instore for us? Our Board met in December (in my dining room) to figure that out. Things that you can look forward to include:
IDPro-related content at EIC and Identiverse and more. I’d love to see IDPro pre-conference workshops as well. (Let me know if you are interested in helping!.)
More IDPro-content at meetups around the world
Enterprise and group membership packages
Starting the journey towards certifications
But the most important destination for us in 2018 is where you want to go. Where do you want see IDPro at the of 2018? What services are you most interested in? As Founding Members, you can participate in our Advisory Board. When we convene the Advisory Board in 2018 — likely around major identity and security events — we want to talk in more depth about what the organization is today and how you’d like to see it grow tomorrow. But don’t wait for those meetings! Please reach out to me or to any of the other board members with suggestions and feedback.
Lastly, on behalf of the Board, I wish you and your loved ones a very healthy and happy 2018!
Ian
It’s hard to believe that it’s been three months since we formally launched IDPro at CIS. I wanted to take a little time to update everyone on what we’ve been up to.
As I wrote about a while back, we have seated our Board. We’ve rolled out both a consolidated Events calendar as well as an IAM Meetup calendar. We’ve also started to consolidate links to IAM User Groups around the world, starting here in the US. If you are a corporate member and want to list your events, just drop us note. If you help organize a User Group and want to list it on the site, feel free to reach out. Thank Hutch for his work to pull all of this together!
Meanwhile, Andi has started to put a framework together to get our newsletter out. The goal is to produce high quality article written by this community for this community. As Andi and the Editorial committee start to get their legs under them, if you want to contribute, please let him know.
I’m delighted to report that we now stand at nearly 150 individual members; and we are joined by corporate members including ADP, Gigya, Ping Identity, Radiant Logic, and SailPoint. Welcome! We look forward to working with you as we develop our organisation.
I also wanted to share a little about our membership with everyone. As you know, we invite new members to fill out a short survey about themselves and their interests. The bulk of you (49% of respondents so far) learned about IDPro at a conference. Interests in the services IDPro should offer range across professional development and ongoing education to keeping current on identity technology and news to community building. The next services respondents have asked for include learning materials (29%), monthly newsletter (19%), weekly news clipping and quarterly webinars (both at 17%).
The majority of our membership are between the ages of 35 and 54. Our membership is primarily white and primarily male. I am heartened to see that 38% of us are not LGBTQ but identify as an Ally. As an industry we have work to do to increase diversity but I know we can do this.
To me the most important thing IDPro can do is help strengthen our community. There are upcoming meetups in Hartford, Chicago, Charlotte, and Providence – events you can go to meet your peers. Another way we can strengthen our community is through discourse; our discussion mailing list is there for that very purpose. From discussion the recent catastrophic breach to social events to ask for advice, we should continue to use the mailing list as a safe space to talk, to learn, and to share.
If you have any feedback for us following our first three months of operation, please email me. I look forward to hearing from you!
New non-profit association will define, support and improve the digital identity profession globally, with support from Gigya, Ping Identity, Sailpoint and Salesforce
WAKEFIELD, Mass., USA – June 28, 2017 – A new association for identity management professionals was announced today, with more than 400 industry professionals already pledging membership. IDPro is an open, global non-profit industry association created to define, support and improve the digital identity profession through knowledge sharing, mentoring, education and certification.
“Identity management is — along with privacy and security — a crucial component for modern business. Each has important roles to play in digital transformation, IoT and data protection use cases,” said Ian Glazer, IDPro president, and vice president for identity, Salesforce. “The multi-billion dollar identity management industry is long overdue for a professional organization of its own that provides identity professionals a place to learn, share and grow. IDPro will be that organization, providing services and accreditation for identity management professionals around the world.”
A Brief History of IDPro Glazer’s speech Professionalization of the Identity Industry, delivered at the 2016 European Identity Conference, was the catalyst for conversations that led to the founding of IDPro. In response to the speech, the Kantara Initiative established a pledge campaign to gauge industry interest in a digital identity management professional association. Over 400 professionals pledged support in just under 90 days. After a one-year incubation period with Kantara, IDPro has launched as an independent association. Identity and Access Management Industry leaders including Gigya, Ping Identity, SailPoint and Salesforce are among IDPro’s founding organizational members. IDPro has also entered into a mutual collaboration agreement for content, community and training at Identiverse, the renamed Cloud Identity Summit (CIS), an annual conference for identity professionals.
“Identity is now at the core of every major strategic business initiative — from moving to the cloud to empowering the globally distributed workforce,” said Andre Durant, Identiverse host and Ping Identity CEO and founder. “To support this massive shift within the enterprise, Ping Identity is committed to sponsoring initiatives — like IDPro and Identiverse — that bring together the brightest minds across the identity and security industry.”
Joining IDPro and Professional Industry Accreditation Individual and organizational membership opportunities are offered by IDPro to identity professionals and sponsoring organizations. Three levels of participation are available for organizations, including Affiliate, Advocate and Champion. Over time, accreditation criteria for practicing digital identity management professionals will be set by the IDPro Governance Board and reviewed annually. For more IDPro information clickhere or info@idpro.org.
Additional Industry Support For IDPro
Gigya “Gigya is excited to become a founder member of IDPro. As a leading Consumer Identity and Access Management (CIAM) provider, Gigya is committed to the establishment and cultivation of an identity professionals community. We share IDPro’s notion that identity practitioners have been without a professional organization for too long. We are happy to support the effort to help identity professionals define, improve and learn more about their trade. This effort will also allow identity professionals to be united in voicing their opinion on identity-related issues globally and to work towards their common interests.” -Eyal Magen, Chief Strategy Officer, Gigya
SailPoint “SailPoint is proud to be a founding member of IDPro. Building a professional community in this important area of specialization is a significant step in the right direction. Identity and access management is now at the center of enterprise security, so building a professional body for it is a key next step.” -Darran Rolls, chief technology and chief information security officer, SailPoint
SecureKey “We are excited to work with IDPro to continue strengthening digital identity across the globe. The concept of building an organization of digital identity practitioners is long overdue – like the security, privacy and business disciplines, identity professionals need to come together and set the agenda for digital transformation. SecureKey is a pioneer for consumer digital identity and we’re excited to help organizations formalize the importance of identity in a modern digital economy.” -Andre Boysen, Chief Identity Officer, SecureKey Technologies
