We had a great second meeting of the Enterprise SaaS Working Group this week, which focused on the topic of access and identity management for the cloud.  Participants in the session included Chris Bedi from VeriSign, Peter Dapkus from  Salesforce.com, Ryan Nichols from Appirio (who also provided a great summary of the event on the Appirio blog), Steve Coplan from  The 451 Group, Michael Amend from Dell, Doug Harr from Ingres and Scott Carruth from Initiate Systems.   Our initial discussion focused on the unique management challenges created by SaaS and cloud applications due to the the identity silos they create in the enterprise as shown below.

The ensuing roundtable discussion focused on the impact these issues are having in the enterprises, with a particular focus on the following topics:

• Speed bump or show stopper – on the question of whether access and identity management issues were a going to be a ’speed bump’ or ’show stopper’ for SaaS adoption in the enterprise, the answer really revolved around timing and depth of penetration.  While today it is more of a speed bump for initial adoption in the enterprise (or else we wouldn’t be seeing enterprise deals today), the issues become more problematic when considering what it will take for SaaS and cloud applications to become a ‘mainstream’ technology. Taken from that perspective, there was agreement that identity issues around access, authentication and authorization created by SaaS identity ’silos’ were going to soon become major, and that they need to be reconciled and addressed.  
• The directory redefined – one of the questions we posed around the future of the corporate directory, and whether enterprises would ever permit it to live in the cloud.  Chris Bedi of VeriSign made the great point that the more relevant and important question is around what a directory really becomes in a cloud-centric environment – where it ends up residing will be a function of how that question is answered.
• Federated identity – related to the directory point, the group generally also agreed that in a cloud-centric (or even hybrid SaaS/on-prem environment) that there was unlikely to be a monolithic directory or source of identity related data, and that SaaS applications, HR systems and directories (on-prem and cloud) would also likely each contain ‘versions of the truth’ that will need to be synchronized and federated.  Ryan Nichols provided a very interesting example of how Appirio themselves have built a cloud-centric organization with Salesforce.com and Google both providing separate but complementary directory and identity data.
• Identity done right – Doug Harr made the excellent point that current cloud identity challenges actually offer an opportunity for SMB and midsize enterprises who haven’t been able to invest in identity and systems management technologies to date to ‘get it right’.   IAAS and cloud-based identity management services will likely make these capabilities cost-effective for these target markets for the first time, enabling these organizations to effectively ‘white sheet’ their identity management approaches for both cloud and on-premise applications.

The full recording of the webinar is available and can be access by clicking here.  Please drop us an email as eswg@conformity-inc.com to be added to our mailing list, and to be notified of future Enterprise SaaS Working Group news and events.

We’re  honored to announce that Conformity has been named to Network World’s prestigious Top 10 List of IT Management Start-Ups to Watch for 2009. This year’s list features emerging management technologies that help IT organizations deliver optimized services in increasingly virtualized and cloud-computing-oriented environments.

We’re particularly excited by the fact that the focus of this year’s list reflects the realization that ‘the other shoe is about to drop’ with SaaS and cloud applications, and that IT is going to need a new generation of solutions to help address the unique identity and systems management challenges created by on-demand technologies.  Jasmine Noel, co-founder and principal analyst at Ptak, Noel & Associates characterized it well in the article, commenting that “Conformity offers an interesting concept because if all IT managers do jump on the cloud, then they are going to have to figure out the best way to integrate and manage access to these services, while ensuring that everyone’s identity is consistent.”

We believe that the initial challenges that enterprise CIOs are facing around SaaS and cloud identity (user authentication, provisioning, etc.) are just the tip of the iceberg, both in terms of the breadth of the coming problems and the solution that Conformity will be providing.  The migration to SaaS and cloud applications creates a fundamental convergence of identity and systems management issues, creating the need for a ‘rethink’ of what management solutions need to be in a cloud-centric environment – that’s our mission here at Conformity, and we’re excited about the validation of our vision by Network World.

Read the full article here >>

Many systems for identity management suffer from severe security, privacy and usability issues. Previously I discussed how the difference between membership and ownership contributes to the resulting “Identity Crisis”. Today I will argue that another fundamental question – “What is identity (anyway)?” – is not properly addressed by identity management systems yet.

First note that identity is not absolute. An identity describes an entity (a person, a computer, an organisation, etc.) within a specific scope. More formally: The identity of an entity within a scope is the set of all characteristics that have been attributed to this entity within that scope. For example, you may have one identity within the scope of your job, containing information such as your employee number, and another identity within the scope of your family, containing information on the food you like. Identities are therefore only valid in a specific scope.
If an identity contains many characteristics, it may uniquely identify a particular entity within a scope. However, with only a few characteristics, many entities are likely to match.

It immediately follows that entities have, in general, multiple identities. These identities may partly overlap, but can also be mutually inconsistent. I have blue eyes in all contexts (ie scopes), but may go by different names, nicknames, in different contexts. In extreme cases, people are known to live parallel lives. Sometimes, hardly anybody knows that particular identities in different scopes belong to the same entity.

To uniquely identify entities, one needs to rely on identifiers, not identities. This distinction between identity and identifier is important, and not always properly understood. The confusion is understandable, because in common parlance identity is almost synonymous with personal name, which in turn is understood to be a unique identifier. Again, identifiers (e.g. a user name) are only valid (and guaranteed to be unique) within a scope.

Identity is not unique. Even within a single scope, people may have several different identities. Within the scope of my family I am not only a father (to my kids) but also a husband (to my wife). Moreover, the identity of an entity is perceived differently by different people, or perceived differently by the same people at different times or in different contexts. Someone may be trusted by one person, but not by another, or only within a certain context.

Virtual identities, in the virtual world, can be connected to entities in the real world, but this connection may be loose. For example, computers behind an IP address may be replaced. Ownership of game characters or avatars may be transferred between people over time. In fact, there is quite a large amount of trade in such virtual identities. Likewise, functional roles within companies may look, to external observers, as entities with a particular identity, but different people may actually be assigned to such a role over time.

Identity is also dynamic. Assertions about someones age change when time passes. Your financial situation changes over time, so do your
friendships.

Identities may exist long after an entity ceases to exist.
The lifetime of an identity does not correspond to the lifetime of the associated entity. Most of the time identity information is not updated or deleted after it has become inapplicable. Again, this introduces a privacy risk. But sometimes claims about an entity actually need to be kept long after the entity itself disappears. For accountability reasons, service providers store usage information for quite some time, sometimes several years.
The situation is reminiscent to the difference in lifetimes between keys and certificates (themselves a possible part of an identity). A Certificate needs to be kept long after the key it certifies has expired, to allow parties to verify the signatures made with that key.

Identity is not only what you want to reveal about yourself, but also what others conclude, believe, find out about yourself. This data may be wrong, become invalid over time, be misrepresented, or be misguiding, etc. In other words, an identity does not necessarily correspond to reality. Moreover, it shows that an identity has many owners: it is not only owned by the identity it describes, but also collected and therefore owned by others. A fine example of this are your health care records that are being collected by GPs, doctors and other health care personnel. This also has important privacy ramifications by the way.

Consequences

Instead of one single identity containing all characteristics taken from all scopes, it is therefore more natural to view identity as a collection of multiple identities (a set of sets), each with their own scope. Note, by the way, that this nicely aligns with the understanding that privacy ensures that information about a person does not leak from one scope into another.

When scopes merge (e.g. if companies merge) identities may clash. If an entity has an identity in both scopes they may not get merged at all, and as a result the scope perceives two entities where there is only one. For example, a person may have an account with two different SPs, both of which require the user to use an SP-specific IdP. How to determine what an entity’s identity is in the new scope when the two SPs merge? Or when the two IdPs merge?

The fact that identities remain to exist long after the entity dies results in a wealth of personal information stored in many
places, leading to privacy risks for users. It may also result in IdPs giving out incorrect claims, damaging their reputation of a trusted partner that is always right. Furthermore, claims may continue to exist indefinitely, even after identity information is deleted. When the claim of an old identity still exists and a new identity is created with the same identifier, these two may seem to refer to the same entity, while this is not the case.

Managing identities does not only mean handling new and fixed identities within one scope, but also handling the complex situations of changing identities in changing scopes, and managing the different perceptions of identity within the same scope. This is a challenge for identity management systems, to be solved in a way that is both user-friendly and secure.

Prospects fade for quick Real ID repeal – Nextgov: “

Prospects fade for quick Real ID repeal
BY CHRIS STROHM, CONGRESSDAILY 11/24/2009
Congress appears increasingly unlikely to repeal a sweeping driver’s license law by the end of the year, which may force the Homeland Security Department to grant blanket waivers to states unable or unwilling to issue licenses that meet federal security standards.

Without the waivers or a congressional repeal, the Real I”

After almost six months that I have delivered my thesis, I’m finally posting it here. It turned up to be a very extensive document (about 150 pages), but mainly because we first wanted to assess the capabilities of SIM cards, identities and finally trust frameworks. And as I was working together with the SIM Research Team at Telenor and I do have some experience with SIM from when I worked in Gemalto, we spent several pages on reviewing the SIM capabilities and trying to figure it out the future SIM.  We also touched an aspect that may start to become more present in the SIM cards which is the ability to sense context.

Other pages were spent in getting into the identity management world and this was one part of the thesis which in fact I wished I had more time to go through. I got very interested in going deeper in the field after finally understanding the identity frameworks such as Higgins, Cardspace and specially on the concepts in which they are based. At last we studied a bit about trust models and this was one of the most difficult parts of the thesis as none of us had much an idea of trust modeling and it is a topic that can get very complex if studied deeply.

After this long background, we finally chosen a new application that could be hosted in the state-of-art (or future) SIM cards, take advantage of the fact that the SIM represent one or more identities and that can be used to build trust. That application was what I have proposed in my paper mentioned in the previous post.

The idea is to use the future sim cards to sense each other (either through NFC,  location information and server interaction, wlan, etc), to sense the environment and based on that, attribute a situational trust value for that meeting between the 2 sim holders.  Then with a bunch of those situational trust value, you can infer the user relation. The more context information, the more you can infer.

Based on that idea, we made a small prototype using SunSpots representing those advanced SIM cards and with a simple trust inference model and a test scenario.  It  may sound a simple test and in fact it was, as the thesis focused a bit on bringing a new idea (which is extensively described) and the state-of-art research, having the prototype as a small proof-of-concept.

When I was reviweing the thesis for the paper presentation, I read in Bruce Schneier’s blog about a paper from some researchers from the Santa Fe institute that used location information and phone calls information to infer the friendship closeness between the people involved in the experiment. The result was that they could predict the level of friendship with 95% accuracy! This pretty much confirm my thesis result =)

Luca Mayer has this summary of Sun’s open source IdM projects. I have some experience with OpenSPML (obviously), and I have fiddled with OpenDS. There is some great stuff there.

I hope this all survives the acquisition.

Over at StorageNerve, and on Twitter, Devang Panchigar has been asking Is Storage Tiering ILM or a subset of ILM, but where is ILM? I think it’s an important question with some interesting answers.

Devang starts with defining ILM from a storage perspective:

1) A user or an application creates data and possibly over time that data is modified.
2) The data needs to be stored and possibly be protected through RAID, snaps, clones, replication and backups.
3) The data now needs to be archived as it gets old, and retention policies & laws kick in.
4) The data needs to be search-able and retrievable NOW.
5) Finally the data needs to be deleted.

I agree with items 1, 3, 4 and 5 – as per previous posts, for what it’s worth, I believe that 2 belongs to a sister activity which I define as Information Lifecycle Protection (ILP) – something that Devang acknowledges as an alternative theory. (I liken the logic to separation between ILM and ILP to that between operational production servers and support production servers.)

The above list, for what it’s worth, is actually a fairly astute/accurate summary of the involvement of the storage industry thus far in ILM. Devang rightly points out that Storage Tiering (migrating data between different speed/capacity/cost storage based on usage, etc.), doesn’t address all of the above points – in particular, data creation and data deletion. That’s certainly true.

What’s missing from ILM from a storage perspective are the components that storage can only peripherally control. Perhaps that’s not entirely accurate – the storage industry can certainly participate in the remaining components (indeed, particularly in NAS systems it’s absolutely necessary, as a prime example) – but it’s more than just the storage industry. It’s operating system vendors. It’s application vendors. It’s database vendors. It is, quite frankly, the whole kit and caboodle.

What’s missing in the storage-centric approach to ILM is identity management – or to be more accurate in this context, identity management systems. The brief outline of identity management is that it’s about moving access control and content control out of the hands of the system, application and database administrators, and into the hands of human resources/corporate management. So a system administrator could have total systems access over an entire host and all its data but not be able to open files that (from a corporate management perspective) they have no right to access. A database administrator can fully control the corporate database, but can’t access commercially sensitive or staff salary details, etc.

Most typically though, it’s about corporate roles, as defined in human resources, being reflected from the ground up in system access options. That is, human resources, when they setup a new employee as having a particular role within the organisation (e.g., “personal assistant”), triggering the appropriate workflows to setup that person’s accounts and access privileges for IT systems as well.

If you think that’s insane, you probably don’t appreciate the purpose of it. System/app/database administrators I talk to about identity management frequently raise trust (or the perceived lack thereof) involved in such systems. I.e., they think that if the company they work for wants to implement identity management they don’t trust the people who are tasked with protecting the systems. I won’t lie, I think in a very small number of instances, this may be the case. Maybe 1%, maybe as high as 2%. But let’s look at the bigger picture here – we, as system/application/database administrators currently have access to such data not because we should have access to such data but because until recently there’s been very few options in place to limit data access to only those who, from a corporate governance perspective, should have access to that data. As such, most system/app/database administrators are highly ethical – they know that being able to access data doesn’t equate to actually accessing that data. (Case in point: as the engineering manager and sysadmin at my last job, if I’d been less ethical, I would have seen the writing on the wall long before the company fell down under financial stresses around my ears!)

Trust doesn’t wash in legal proceedings. Trust doesn’t wash in financial auditing. Particularly in situations where accurate logs aren’t maintained in an appropriately secured manner to prove that person A didn’t access data X. The fact that the system was designed to permit A to access X (even as part of A’s job) is in some financial, legal and data sensitivity areas, significant cause for concern.

Returning to the primary point though, it’s about ensuring that the people who have authority over someone’s role within a company (human resources/management) having control over the the processes that configure the access permissions that person has. It’s also about making sure that those work flows are properly configured and automated so there’s no room for error.

So what’s missing – or what’s only at the barest starting point, is the integration of identity/access control with ILM (including storage tiering) and ILP. This, as you can imagine, is not an easy task. Hell, it’s not even a hard task – it’s a monumentally difficult task. It involves a level of cooperation and coordination between different technical tiers (storage, backup, operating systems, applications) that we rarely, if ever see beyond the basic “must all work together or else it will just spend all the time crashing” perspective.

That’s the bit that gives the extra components – control over content creation and destruction. The storage industry on its own does not have the correct levels of exposure to an organisation in order to provide this functionality of ILM. Nor do the operating system vendors. Nor do the database vendors or the application vendors – they all have to work together to provide a total solution on this front.

I think this answers (indirectly) Devang’s question/comment on why storage vendors, and indeed, most of the storage industry, has stopped talking about ILM – the easy parts are well established, but the hard parts are only in their infancy. We are after all seeing some very early processes around integrating identity management and ILM/ILP. For instance, key management on backups, if handled correctly, can allow for situations where backup administrators can’t by themselves perform the recovery of sensitive systems or data – it requires corporate permissions (e.g., the input of a data access key by someone in HR, etc.) Various operating systems and databases/applications are now providing hooks for identity management (to name just one, here’s Oracle’s details on it.)

So no, I think we can confidently say that storage tiering in and of itself is not the answer to ILM. As to why the storage industry has for the most part stopped talking about ILM, we’re left with one of two choices – it’s hard enough that they don’t want to progress it further, or it’s sufficiently commercially sensitive that it’s not something discussed without the strongest of NDAs.

We’ve seen in the past that the storage industry can cooperate on shared formats and standards. We wouldn’t be in the era of pervasive storage we currently are without that cooperation. Fibre-channel, SCSI, iSCSI, FCoE, NDMP, etc., are proof positive that cooperation is possible. What’s different this time is the cooperation extends over a much larger realm to also encompass operating systems, applications, databases, etc., as well as all the storage components in ILM and ILP. (It makes backups seem to have a small footprint, and backups are amongst the most pervasive of technologies you can deploy within an enterprise environment.)

So we can hope that the reason we’re not hearing a lot of talk about ILM any more is that all the interested parties are either working on this level of integration, or even making the appropriate preparations themselves in order to start working together on this level of integration.

Fingers crossed people, but don’t hold your breath – no matter how closely they’re talking, it’s a long way off.

I have been working a lot with EUS lately at a big customer. My personal account is able to login to databases (EUS) and also on to OEL (OAS4OS). This combined with some chown/chmod commands on OEL enables me to do my job with my personal account.

Since this customers also uses ASM, I figured I would like to use my personal account for asmcmd too. First I tested the process with a local account, baby steps usually works best for me. I created an account jhl

# useradd -g asmadmin -G dba jhl

Next i su’d to jhl and tested the procedure:

$ id
uid=10238(jhl) gid=4007(asmadmin) groups=4006(dba),4007(asmadmin)

$ . oraenv
ORACLE_SID = [+ASM1] ? +ASM1
The Oracle base for ORACLE_HOME=/u01/app/oracle/product/11.1.0/asm_200 is /u01/app/oracle

$ asmcmd
ASMCMD> ls

This looks promising, all needed to be done next was repeating the steps only now with an account from the OID. First I had to add the group to the OID, here’s the ldif I used:

cn=asmadmin,cn=groups,dc=some_company,dc=nl
uniquemember=cn=landlustjh,cn=users,dc=some_company,dc=nl
owner=cn=orcladmin,cn=users, dc=some_company,dc=nl
objectclass=top
objectclass=groupOfUniqueNames
objectclass=orclGroup
objectclass=posixgroup
cn=asmdba
orclisvisible=true
displayname=asmadmin
description=asmadmin
gidnumber=1007

As you can see in the ldif, I added my personal account to the asmadmin group. After adding the group to the OID I performed a quick check to see if all went according to plan:

$ id
uid=10217(LandlustJH) gid=1006(dba) groups=1006(dba),1007(asmadmin),1010(remotelogin),1011(oraclemembers),1012(rootmembers)

Now te login:

$ asmcmd
ORA-01031: insufficient privileges (DBD ERROR: OCISessionBegin)
ASMCMD-08103: failed to connect to ASM; ASMCMD running in non-connected mode
ASMCMD>

Aiks? Since I’m not that stupid, I started tracing asmcmd:

$ export DBI_TRACE=1

$ asmcmd
    -> DBI->connect(dbi:Oracle:, , ****, HASH(0xd547e0))
    -> DBI->install_driver(Oracle) for linux perl=5.008003 pid=6683 ruid=10217 euid=10217
       install_driver: DBD::Oracle version 1.15 loaded from /u01/app/oracle/product/11.1.0/asm_202//perl/lib/site_perl/5.8.3/x86_64-linux-thread-multi/DBD/Oracle.pm
    <- install_driver= DBI::dr=HASH(0×7c28c0)
       ERROR: 1034 ‘ORA-01034: ORACLE not available
ORA-27101: shared memory realm does not exist
Linux-x86_64 Error: 2: No such file or directory (DBD ERROR: OCISessionBegin)’
    <- DESTROY= undef at DBI.pm line 591
       DBI connect(”,”,…) failed: ORA-01034: ORACLE not available
ORA-27101: shared memory realm does not exist
Linux-x86_64 Error: 2: No such file or directory (DBD ERROR: OCISessionBegin)
ORA-01034: ORACLE not available
ORA-27101: shared memory realm does not exist
Linux-x86_64 Error: 2: No such file or directory (DBD ERROR: OCISessionBegin)
ASMCMD-08103: failed to connect to ASM; ASMCMD running in non-connected mode

The tracing and some MOS-ing (MOS actually works for me!) learned me that I forgot to set my environment. No rocket science to far. Let’s retry:

$ . oraenv
ORACLE_SID = [+ASM1] ? +ASM1
The Oracle base for ORACLE_HOME=/u01/app/oracle/product/11.1.0/asm_200 is /u01/app/oracle

$ asmcmd
    -> DBI->connect(dbi:Oracle:, , ****, HASH(0xd53960))
    -> DBI->install_driver(Oracle) for linux perl=5.008003 pid=3186 ruid=10217 euid=10217
       install_driver: DBD::Oracle version 1.15 loaded from /u01/app/oracle/product/11.1.0/asm_200/perl/lib/site_perl/5.8.3/x86_64-linux-thread-multi/DBD/Oracle.pm
    <- install_driver= DBI::dr=HASH(0×7c1e70)
       ERROR: 12547 ‘ORA-12547: TNS:lost contact (DBD ERROR: OCIServerAttach)’
    <- DESTROY= undef at DBI.pm line 591
       DBI connect(”,”,…) failed: ORA-12547: TNS:lost contact (DBD ERROR: OCIServerAttach)
ORA-12547: TNS:lost contact (DBD ERROR: OCIServerAttach)
ASMCMD-08103: failed to connect to ASM; ASMCMD running in non-connected mode

ORA-12547 was NOT wat I was expecting at all. Even more MOS-ing later I discovered the privileges on the oracle binary were not set correctly. This could be fixed easily

oracle$ chmod 6751 $ORACLE_HOME/bin/oracle

and then yet another try (now with the proper environment):

$ asmcmd
    -> DBI->connect(dbi:Oracle:, , ****, HASH(0xd53990))
    -> DBI->install_driver(Oracle) for linux perl=5.008003 pid=31109 ruid=10217 euid=10217
       install_driver: DBD::Oracle version 1.15 loaded from /u01/app/oracle/product/11.1.0/asm_200/perl/lib/site_perl/5.8.3/x86_64-linux-thread-multi/DBD/Oracle.pm
    <- install_driver= DBI::dr=HASH(0×7c1ec0)
       ERROR: 1031 ‘ORA-01031: insufficient privileges (DBD ERROR: OCISessionBegin)’
    <- DESTROY= undef at DBI.pm line 591
       DBI connect(”,”,…) failed: ORA-01031: insufficient privileges (DBD ERROR: OCISessionBegin)
ORA-01031: insufficient privileges (DBD ERROR: OCISessionBegin)
ASMCMD-08103: failed to connect to ASM; ASMCMD running in non-connected mode

ORA-01031? Now how about that? Usually that’s caused by password file trouble:

SQL> select * from v$pwfile_users;

USERNAME         SYSDBA          SYSOPER         SYSASM
—————- ————— ————— —————
SYS              TRUE            TRUE            FALSE
SQL> grant sysasm to sys;

Grant succeeded.
SQL> select * from v$pwfile_users;

USERNAME        SYSDBA          SYSOPER         SYSASM
————— ————— ————— —————
SYS             TRUE            TRUE            TRUE

Now lets’ try again:

$ asmcmd
    -> DBI->connect(dbi:Oracle:, , ****, HASH(0xd539b0))
    -> DBI->install_driver(Oracle) for linux perl=5.008003 pid=4315 ruid=10217 euid=10217
       install_driver: DBD::Oracle version 1.15 loaded from /u01/app/oracle/product/11.1.0/asm_200/perl/lib/site_perl/5.8.3/x86_64-linux-thread-multi/DBD/Oracle.pm
    <- install_driver= DBI::dr=HASH(0×7c23c0)
       ERROR: 1031 ‘ORA-01031: insufficient privileges (DBD ERROR: OCISessionBegin)’
    <- DESTROY= undef at DBI.pm line 591
       DBI connect(”,”,…) failed: ORA-01031: insufficient privileges (DBD ERROR: OCISessionBegin)
ORA-01031: insufficient privileges (DBD ERROR: OCISessionBegin)
ASMCMD-08103: failed to connect to ASM; ASMCMD running in non-connected mode

 Still no jackpot, but guess what:

$ asmcmd -a sysdba
    -> DBI->connect(dbi:Oracle:, , ****, HASH(0xd539b0))
    -> DBI->install_driver(Oracle) for linux perl=5.008003 pid=4351 ruid=10217 euid=10217
       install_driver: DBD::Oracle version 1.15 loaded from /u01/app/oracle/product/11.1.0/asm_200/perl/lib/site_perl/5.8.3/x86_64-linux-thread-multi/DBD/Oracle.pm
    <- install_driver= DBI::dr=HASH(0×7c23c0)
1   <- prepare(‘
                SELECT SYS_CONTEXT(‘userenv’,’session_user’) FROM DUAL
            ‘ undef)= DBI::st=HASH(0×100a6e0) at Oracle.pm line 295
    <- selectrow_array(‘
                SELECT SYS_CONTEXT(‘userenv’,’session_user’) FROM DUAL
            ‘)= ‘SYS’ at Oracle.pm line 295
$h->{‘ora_session_mode’}=2 ignored for invalid driver-specific attribute
    <- connect= DBI::db=HASH(0xfa15d0)
1   <- FETCH(‘NAME’)= [ 'VALUE' ] at asmcmdshare.pm line 2324
1   <- fetch= [ 'asm' ] row1 at asmcmdshare.pm line 2324
1   <- FETCH(‘NAME’)= [ 'VERSION' ] at asmcmdshare.pm line 2324
1   <- fetch= [ '11.1.0.7.0' ] row1 at asmcmdshare.pm line 2324
ASMCMD>

hey joe, what do you know? I only found this behaviour once, when the osdba group was not called dba. I remember that I had to check some spec file and recompile ioracle:

cat $ORACLE_HOME/rdbms/lib/config.c
#define SS_DBA_GRP “dba”
#define SS_OPER_GRP “dba”
#define SS_ASM_GRP “asmadmin”

char *ss_dba_grp[] = {SS_DBA_GRP, SS_OPER_GRP, SS_ASM_GRP};

Sadly enough in this case the default group name is asmadmin, so a recompile will not help me out. The only thing left is to trace the sqlnet session from asmcmd to the database back to OID, but somehow I have a feeling this will not help me out. Anyway, I’m done for the day. Maybe I can find a solution tomorrow. Any help is appreciated.

We’re excited to announce that on December 2nd  at 10:00am PST / 1:00pm EST we’ll be holding the second meeting of the Enterprise SaaS Working Group on the topic of Access and Identity Management for the Cloud.

One of the recognized challenges with SaaS in the enterprise is the silos of identity that are created by cloud applications. Each service contains its own ‘version of the truth’ around users, permissions and credentials, disconnected from legacy directory services and identity management systems. Based on feedback from our first event, this meeting will focus on the identity management and access control issues that need to be addressed for SaaS to become truly mainstream in the enterprise. Discussion will focus on several questions including:

Participants in the session will include:

• Michael Amend – Director of Enterprise Architecture at Dell, Inc.
• Chris Bedi – CIO at VeriSign, Inc.
• Scott Carruth – VP, Information Systems at Initiate Systems
• Peter Dapkus – Director of Product Management at Salesforce.com
• Steve Coplan – Senior Analyst, Enterprise Security Practice at The 451 Group
• Doug Harr – CIO at Ingres Corporation
• Ryan Nichols – VP Cloudsourcing & Cloud Strategies at Appirio

The discussion will focus on critical issues and corresponding best practices in the areas of access management, authentication, identity synchronization and identity policy enforcement and will include a Q&A session open to all attendees. Click here for more information and to register for this exciting event!

Register now >>

  [From Luca Mayer - Spike Reply: Is there any open source identity and access management suite?]

Though cloud and SaaS solutions are seeing rapid adoption in the enterprise, management of these applications is not aligned with traditional IT controls and policies.  SaaS has been deployed and managed largely by business users, with limited input from CIOs and IT organizations.  As these cloud-based technologies replace mission-critical on-premise applications and host sensitive organizational data, enterprise IT is now regaining their ‘seat at the table’.   When seeking to extend policies and controls to SaaS, these IT organizations are disappointed to learn that existing directories and  IT management technologies don’t easily extend to the cloud.  These organizations struggle to achieve alignment of SaaS and cloud solutions with established enterprise identity sources including Human Resources Information Systems (HRIS), directory services, and Identity Management (IdM) solutions.  This alignment and resulting visibility and control is critical for IT and Finance departments concerned with regulatory compliance, governance, and identity and access management.

Given the role that Microsoft Active Directory and associated proxy services play in  providing centralized authentication, access control, and identity synchronization for on-premise applications  it would seem to be a logical integration point to also harness SaaS and cloud solutions.  Unfortunately IT organizations are finding that AD itself does not easily extend into leading SaaS applications, with direct integration difficult if not impossible.

Despite this inability to directly integrate AD with major cloud applications, forward-thinking enterprises are focusing on a “loose coupling” of on-premise Microsoft Active Directory and SaaS solutions through new third party management solutions.  This approach allows an integration path with the existing, deployed directory technologies and does not require major adjustments in the SaaS vendor technology roadmaps.  By integrating the current SaaS and directory solutions, the enterprise can align critical services including user identity and attributes, login services (Single Sign-On), and IT policies.  This alignment can lead to immediate benefits in security, IT efficiency, and governance and regulatory compliance.  In our new white paper, Extending Microsoft Active Directory to the Cloud, we explore the approaches and solutions organizations are leveraging to identity synchronization, policy enforcement and single sign-on (SSO).

Click here to request a free copy >>

and we like it!

OAuth is an open protocol to allow secure API authorization in a simple and standard method from desktop and web applications, as stated on the OAuth web site.

Why do we like OAuth?

1. It is simple.  Most of the bad security implementations are done by people with good intentions and low skill.  Understanding the issues involved greatly improves the changes of making the right choices.
2. It solves a real hard problem: giving access to your stuff without sharing your identity.
3. Plays well with others.  OAuth has built in support for desktop applications, mobile devices, set-top boxes, and of course websites.

OAuth helps delegating rights to a process acting as you, without losing privacy or compromising security.  And the specification is short and possible to understand.  Replacing shared secrets is a really good idea.  Replacing hardcoded application-based passwords is an even better idea.  Replacing spoofing of user by logging in as root/admin and then emulating the actual user is a great idea.  And all of this may be done by OAuth.

One use case is getting access to your data on your behalf, but on a different site while not giving away your identity from the first site. Another is the TCS eScience Personal Portal (aka Confusa) that will use OAuth to authenticate a command line client tool to a web-based service that issues short-lived certificate. Then they will extend it further using OAuth for web-based delegation of proxy-certificates; collaborating with a Norwegian University.  Some other use cases that people in my neighbourhood has been playing with so far

• Attribute query protocol
• Certificate enrollment in confusa using OAuth

• Virtual Organizations, OAuth and trust models
• Twitter authentication model

New VHD available from Microsoft – Forefront Identity Manager 2010 Rc1. This VHD is really useful to get you going with FIM, because clean FIM installation and configuration can take pretty much time. You need to install all FIM components (and believe me, there are a lot of components), configure provisioning etc, etc.   Anyway, now with FIM 2010 VHD available for download, you can try all features:

• Provisioning of users and groups to AD
• Creating new dynamical groups
• Self service password reset
• Integration with office
• And much more…

If you are interested in identity management, grab your VHD here , create Hyper-V Virtual Machine and manage your identities.

Hello everyone..

A few weeks back, I came across a new term that has been getting rathwer popular since quite some time on the net – ‘OpenID’. Now, a lot of people  might be using it in some form or the other, but perhaps, not all of us understand what and why is it..

So, What is OpenID ? To understand it, first imagine how registering and using different sites work. Most of us are registered on various sites – these may be social networks (like facebook, orkut etc.), shopping sites, forums, and other such sites. Now, there are a few issues with how things work normally :

1. Firtstly, registering on a site is a multi-step process which needs to be done repetitively – a recent study showed that many visitors avoid registering on a site simply because they are too lazy to fill up all the registration information. However, automatic form-filling (like in google toolbar) could help somewhat by automating the form-filling.
2. The second problem, which is  what is of more concern, is remembering the password. Either the user keeps the same password on all sites which increases the chances of identity theft (you will be surprised at how many sites store your actual password and not its encrypted/hash value on their servers – ever got a mail from a site after registering, mentioning your password in the mail ? – well, beware of such sites). In the above option, if a a ‘hacker’ could get your password on any one site, he could potentially gain acces to your identity on all the other sites. The other option is that you keep different passwords on different sites   – but then, remembering them is a complete mess ! You either cannot remember them or you need to use some password manager to gain access – again a problem since it involves extra step and because you may not have access to the password manages on a public computer.
3. A third problem, is that if you use many social networking sites, there is no link between the friends you have on one site to the friends on another site – you cannot simply add frineds on Facebook and then hope that the same would also appear in your friends list in Orkut !

In comes OpenID – “one ring to rule them all”  – it is like your one single identity across the whole web and one central/unified way of signing in towebsites. So, now, if you go to an openID enabled site and press register, all you have to specify is your openID, and then perhaps your openID password, and then the site where you are registering will pull in all your information and your contact information from the openID provider’s site (with your permissipon ofcourse) and you are done – no need to fill up forms, remember passwords of search for your friends !! Simple and effective. Also, because now your password is only visible to the openID provider’s site, and no other site sees/knows it, you only need to protect and remember a single passwors thus making identity-theft less likely.Also, if all your frineds on one site are using openID, its simple for any of the other site to pull your frinds’ ids from one site and add them to your friends listr in other !

Now that the concept of openID is clear, lets see what is openID – it is actually a form of URL (e.g. openid_provider.com/myname) – without going into too much technical detail, whenever you enter your openID URL to any site, that site will contact the openID provider website (openid_provider.com in the example above) and will authenticate you and your information. For more technical details on how it works, refer : http://en.wikipedia.org/wiki/OpenID#Logging_in

Naturally, the question that comes to mind is, who is openID provider ? Since the past year, the openID has become quite popular. So, many sites have  been providing openID – infact, you already might have one or many of them. For example, blogger (my blog url : http://itsaneesh.wordpress.com/ is actually also an openID), wordpress, livejournal etc. provide you an openID when you register. Google also makes an openID for you when you register (although, its slightly different in that your google openID has a long alphanumeric sequence as your openID) as does  flickr, yahoo and msn etc. (see : http://openid.net/get-an-openid/ for more details). In fact. for users of google – you might have seen “Sign in with a Google Account” button on many third-party sites – all of these are utilizing Google’s openID features)

An alternate way of getting ypur openID are from sites meant solely for this : some good examples are – http://chi.mp/ , https://claimid.com/ , http://www.yiid.com , http://www.myid.net/ , https://www.myopenid.com/ , https://pip.verisignlabs.com/

While understanding openID etc, I visited and created my openID on the above mentioned sites, and personally, I liked yiid the best (mine is at http://aneesh.yiid.com/)- as it gives you a page where you could mention all the sites/communities you are a part of and also, allows you to link multiple openIDs together so you could sign in to yiid with any of those. Another one I really like is chi.mp as it gives you a personal free domain (mine at http://aneesh.mp/) and a page which you can customize, along with a blog, photostream etc.

Lastlys, as openID becomes popular and the de-facto standard for logging into sites, the id will become a persons unique identity on the net – you go to a photosite, and see a photo or a comment on another site by  “http://itsaneesh.blogspot.com/” , you know its the same person who created this blog ! Of couse, this also brings about concerns of privacy – but you have the control on it – its no different than real worls – you have one unique face and you are known by it – you simple hide it when you want to do something you don’t want people to associate with you !!

So, now that you are more aware of what is OpernID, hopefully, you will start noticing its existence and its advantages at more and more sites – share with me on how you feel about it. And if you still don’t have one, well, what are you waiting for ? – go, claim your identity !

Enjoy !

Aneesh..

PS : I still cannot decide which platform is better for blogging – blogspot or wordpress. Till the time I do so, please find the same post also at :

http://itsaneesh.blogspot.com/2009/11/one-ring-to-rule-them-all-openid.html

SAN DIEGO, Calif. – November 2, 2009 –Anakam TFA® Two Factor Authentication has been selected as the winner for “Best Authentication/Identification Product” at the GSN: Government Security News 1st Annual Homeland Security Awards competition. About 300 government officials and industry executives packed the grand ballroom of a Manhattan hotel on Oct. 27, 2009 to witness GSN announce the names of the winners in multiple security categories.

Read the full Two-Factor Authentication and Identity Management Anakam award press release…

Anakam is headquartered in San Diego, though with offices around the country, including a substantial presence here in Washington DC and Northern Virginia – where Anakam supports Multi-factor Identity Management, Authentication and Secure Collaboration system and product implementations for eGovernment clients, including National Defense, Homeland Security and Intelligence Government customers.

Wikipedia defines Two-Factor Authentication as follows: “An authentication factor is a piece of information and process used to authenticate or verify the identity of a person or other entity requesting access under security constraints. Two-factor authentication (T-FA) or (2FA) is a system wherein two different factors are used in conjunction to authenticate. Using two factors as opposed to one factor generally delivers a higher level of authentication assurance. Using more than one factor is sometimes called “strong authentication”, however, “strong authentication” and “multi-factor authentication” are fundamentally different processes. Soliciting multiple answers to challenge questions may be considered strong authentication but, unless the process also retrieves ’something you have’ or ’something you are’, it would not be considered multi-factor.”

Allan Camaisa, Anakam’s Founder and CEO, was on hand at the GSN ceremony to accept the Anakam “Best Authentication/Identification Product” award personally. “We are honored to be receiving this award for our efforts to deliver a truly unique technology which provides for the trusted identity management of citizens logging on to Government portals- thereby allowing agencies to provide more valuable online services at a greatly reduced cost.”

“Congratulations to Anakam, our winner in the “Best IT Authentication/Identification Product” category, whose innovative technology enables massive scale, cost-effective and secure two-factor authentication for eGov applications. Anakam’s system has enabled remote identity proofing and strong authentication for millions of citizens, while lowering costs of service delivery dramatically by shifting to Web-based applications,” said Adrian Courtenay, Chairman of GSN.

This technology is extremely important in enabling greater security and privacy protection with respect to the proliferation of eGovernment services expanding through leverage of online Portals, Internet-based Web 2.0 technologies and mashup widgets, and government-branded social media channels – accessed across an extremely wide variety of fixed and mobile devices. Check out in LinkedIn the “Anakam Trusted Identity” and “Homeland Security Information Sharing and Social Media” groups and topics for more related information.

Anakam’s winning entry, Anakam.TFA® Two Factor Authentication, provides enterprises with trusted access through two-factor authentication without the burden associated with issuing tokens or cards and by harnessing the ubiquity of common devices such as cell phones and pagers. Winners in each category were carefully reviewed by a panel of judges and chosen out of multiple entries.

About Anakam

Anakam enables strong identity authentication and identity management at a fraction of the cost of traditional solutions, without encumbering customers, partners, and employees with cards, software downloads, tokens, or fobs. With tens of millions of end users, the Anakam Identity Suite® is unique in the industry, providing end-to-end multi-channel capabilities that allows enablement of secure, trusted eBusiness to very large user-communities in a single platform. The suite includes two-factor authentication, remote identity proofing and identity verification, professional credentialing, and secure collaboration and authentication. For more information, visit Anakam.com.

I was able to sit down and speak with Nicole Harris from JISC some more about the federation that they have in the UK.  It sounds like it is primarily focused on the UK at this point.  They have almost 100% of the higher ed schools on this system, and many others.  They have opened up access to the federation to service providers like academic publishing services, and to a few institutions outside of the UK.  Now that they have made such good progress internally to the UK, they are now looking at working with other federations and institutions.

Although I believe that it will make more sense for the UK access federation to work at a higher level of integration like at the InCommon federation level, I also expressed interest in seeing if there was any opportunities for other institutions to join this federation.  I was told that they are working on finalizing the policies around allowing other institutions to join their federation and that they expect to complete that effort by the end of the year.  I will be reaching out to JISC over the coming weeks to see if there is anything that Vanderbilt can do to help with those efforts, or to pilot those efforts.

Background: federation funded by two groups.  JISC (Joint Information Systems Committee) and Becta (Government organization focused on effective and innovative use of technology)

Federation today:

“Technology is easy.  It’s the people who are the challenge.”

To over come issues with adoption and people’s concerns, they used pilots programs, training, outreach and support efforts for each group.

Defined a solid roadmap of activities that would be occuring, and when they would happen.

Most institutions became full members using open source software with in house support.  This led to a huge contributions from the various members.

Currently working on creating a standards based infrastucture for international interoperation.  Is it now time to revisit the eduPerson specification?  There are local variations on this standard.  There is also some degree of interpretation when you get to things like “staff”.  More information about eduPerson at:

http://middleware.internet2.edu/eduperson

SWITCH work on allowing users to give consent to attribute release.

http://www.switch.ch/aai/support/tools/uApprove.html

JISC review on OpenID, linking user-centric identity approaches with access management through institutional affiliation:

http://www.jisc.ac.uk/publications/documents/openidfinalreport.aspx

Overall it was an interesting presentation.  Kind of a very high level view of federation.  Interesting that the federation effort is jointly done between JISC and the government for education.  Quite different from the American way which is more the InCommon approach of building it, and waiting for Universities to come to it, but not really as part of a government program.

Announced yesterday.  Very cool!

Well, my presentation went really well.  I am very pleased with it.  I had probably between 100-150 people in attendance.  People were involved in the presentation and engaged.  I don’t know if they recorded it or not, but i don’t think they did.

At the end of the presentation I had probably a good 10-15 minutes of questions and answers.  The questions were all around various challenges that we faced in our IDM implementation. After the presentation I had probably a dozen people stay after and ask further questions.  I was also approached by CW magazine and asked if I would write up an article about my presentation.  I am supposed to speak with the gentleman next week.

Overall I think it went really well.  Now I can relax and enjoy the rest of the conference.

http://docs.google.com/present/edit?id=0AYTTIcM68WupZHRjMzJuNF8xMDJjdzg4cWpoZw&hl=en

Identity management — the process of establishing the identity of a remote user (or system), managing access to services by that user, and maintaining identity profiles concerning that user — is a very active field of research and development. There are already quite a few systems in use. However, many of these systems suffer severe security, privacy and usability issues. This results in an “Identity Crisis”, a theme I will explore more in the coming months.

There are also several fundamental problems with identity management systems, that apply to all current models of identity management, and not just the current implementation of such models. One such issue is that identity management systems are being used to enforce different kinds of access rights. These access rights have different risk profiles, and therefore assume different trust relationships between users, identity providers and service providers. Unfortunately, people are unaware of this difference in access rights. This results in unacceptable risks.

The essential distinction one needs to make is between membership and ownership of a resource.

Identity management systems were first applied in business (to centralise access rights management to business applications) and education (to grant students access to the wireless network, the digital library and the computing facilities, even when they where from the same university). In both cases, what the identity management systems really is being used for is to decide whether a certain user is a member of a group. In the first case it decides whether the user is a member of the group that has access to business application X. In the second case it decides whether the user is a student of a certain university or not. The resource being controlled is not owned by the user. And if someone abuses the resource, the user will not suffer damage. The risk of using the identity management system lies completely with the service provider.

More and more, identity management systems are being used to enforce ownership of a resource. The prime example are on line banking systems, and to a lesser extent email, chat, blog and social networking accounts. Illegal access to your bank account will hit you with a direct financial loss. Access to your email, chat and other systems may enable a criminal to ’steal’ your identity, which may hurt you in many other ways. In this case, the risk of using the identity management systems lies completely with the user.

How does this affect the use of identity management systems? To enforce membership identity management assumes different trust relationships than to enforce ownership. In the first case, the service provider needs to trust the identity provider to reliably authenticate its members. In the second case, the user needs to trust the identity provider to reliable authenticate him. These trust relationships need to be enforced either by technological means, or through mutual agreements (SLA) with associated penalties. In either case, an identity management system to enforce membership is different from an identity management system to enforce ownership.

Further refinements can be made, actually.

In the case of granting students access to university resources, the damage associated with abuse (and therefore the risk of using identity management) is quite low. Except for extreme, denial-of-service, cases, the university does not suffer any direct actual loss of non-students have access to the resources. This is the same for any subscription based digital service, like on-line music, or a digital newspaper, etc. Because the marginal cost of the copy is essentially zero, there is no direct loss of non-members have access too. The losses incurred by such services are indirect, and are basically the result of less sales.

Granting access to business applications (and the associated data in particular) is much more risky. Not because of loss of revenue, but because most of the data is confidential. It could cause real or financial damage when it becomes public. Similarly, there is a difference between access to a bank account, and access to an email account. It is interesting to explore the economic literature to see whether other types of access can be discerned, and how they influence the trust assumptions (and perhaps business models) in identity management.

Need to deal with many regulations, student behaviors, federated relationships, etc.

What is governance?

-Sets policy, establishes authority and responsibility, and implements accountability.  Governance is great for providing communication framework.

Strong governance team helps institutions:

-foster communication, achieve high data quality, promote application interoperability, avoid undue risk, etc.

Goals of Governance:

-build value, create transparency, achieve executives governance goals.

[So far, this is not a really strong presentation.  a couple people have already left.]

Strong Governance Requires:

sponsorship – maintain focus, relationships, overcome roadblocks, provide stewardship

ownership – individual or group.  has enforcement capability

Core Team – responsible for day to day direction.  need the right mix for this.

what if you don’t have it?

-redundant identity data propagated

-duplicitous application development

-potential use of sensitive data improperly

Types of Governance Models

-formal hybrid model – normal business model.  central group that makes policies.

-centralized IT model – similar to hybrid.  One core body.  it makes decisions.  [not sure the difference between this and hybrid]

-explicitly De-Centralized – high level group to set general policy, and then other specialized groups to implement policy

-No clear governance. – obvious.  don’t have any model in place.

five levels of maturity in governance models

1. initial – no process.

2. repeatable – starting to understand processes

3. defined – process documented, standardized and integrated.

4. managed -

5. optimized.

Governance process is iterative

need feedback mechanism to verify that processes are working correctly.  requirements –> investment –> usage –> feedback.

[very dry presentation.  If this was done after a heavy lunch, everyone would be asleep.]

http://userpages.umbc.edu/~jack/EDU2009-IDM.pdf

Began with discussions in small teams around where we are in IDM and federation.  I think we are about in the middle of progress in our IDM implementation as compared with others around me.

One interesting idea is the thought that students should be able to manage and control their relationship with third parties. Students could have the ability to specify what information can be shared with which third party, or if they want their identities shared at all outside of campus.

Another interesting idea is that a few universities assume everyone has an alternate email address and cell phone.  They would gather that info early, and then that could lead to options for password resets and future communications.

Security around access to all these different systems is a big issue for several of the schools.

Great slide on IDM factors:

Another great slide on what is involved in IDM:

Very important to understand various roles that a student can have: prospective students get different resources than full time students/staff/faculty/etc.

Great chart on  the various services and the risk for each of those services:

Interesting that after UMBC got their IDM process up and running, that Federated partners grew faster than systems in University.  Lots of cloud services for UMBC: billing, parking, calendars, etc.

Three Core Concepts
• People and Relationships
• Creation and Management of Identities
• Access to Data and Applications

Federation: before and after InCommon:

Federating Opportunities in Higher Education (InCommon)

• Microsoft Dreamspark
• iParadigm – TurnItIn
• WebAssign (Math and Physics)
• Apple – iTunes U
• Digital Measures
• e2Campus
• Students Only Inc
• Symplicity
• Refworks
• Kuali Foundation
• OCLC
• Burton Group
• EBSCO Publishing
• Elsevier
• TeraGrid
• NSF – research.gov
• NIH
• JSTOR
• lynda.com
• National Student Clearinghouse

InCommon Silver

- The Silver profile is fundamentally a set of “best practices” for identity and access management
aligned with the recommendations in NIST 800-63 for level of assurance (LoA).

http://www.incommonfederation.org/assurance/

https://spaces.internet2.edu/display/InCCollaborate/InCommon+Silver

Collaborative Effort supported by InCommon
Four Universities
• University of Washington
• Penn State
• UC Davis
• Johns Hopkins
NIH Electronic Research Application (eRA)

Penn State is using the InCommon Silver document as a best practices for how to do IDM and IAM.

We need to learn more about this, and determine how we can participate in it.

While billions of dollars will be spent on SaaS and cloud applications by the end of 2009, executives continue to question data security inside the cloud.  A recent article in CIO Magazine notes a growing majority of execs are worried about cloud security.  These executives recognize that each SaaS application, like Salesforce.com, represents a potential highway of highly sensitive corporate data outside the firewall and outside IT’s security protocol.  While no means exhaustive, here is a list of mistakes we’re seeing companies make when deploying SaaS applications, creating unnecessary risk and cost for their organizations:

1. Creating the ‘three-headed admin’ – granting multiple people administrator-level roles inside a single SaaS application, or having multiple admins share the same credentials.  Aside from the obvious security issues, resulting SaaS app management data typically ends up reflecting multiple perspectives of users and permissions.
2. Hoping that everyone ‘locks the door’ – relying on manual workflows, phone calls and emails to de-provision SaaS users’ access in an accurate and timely fashion across SaaS apps.   If there’s not an automated way to guarantee deprovisioning across all apps, then it’s unlikely that it’s happening.
3. Applying a short term ‘band-aid’ for management – using trouble ticketing and help desk systems to coordinate administration between central IT and departmental SaaS admins.  This is typically a short term fix that just kicks critical provisioning and identity management issues down the road, and does it in a way that creates more pain later.
4. Attempting the IT ‘end-run’ – not engaging IT on management and support until SaaS app(s) become “mission critical” within the organization.  As SaaS and cloud are now becoming more mainstream technologies, IT is regaining their seat at the table to help extend existing policies and controls – ignore this dynamic at your own peril.
5. Delegating policy enforcement – relying on individual SaaS administrators to enforce corporate policies for roles and permissions.  Most organizations have access control policies and controls exist for on-premise apps and data, but few think about how to extend them to SaaS and cloud applications prior to deployment, particularly in environments with distributed administration.
6. Believing in a management ‘silver bullet’ – assuming that existing on-premise directories (such as Microsoft Active Directory) or identity management tools (including SSO) extend to support all SaaS-related identity challenges.  They don’t.
7. Creating ‘two sets of rules’ – treating SaaS governance differently than on-premise applications with regard to user identity and compliance.  Governance frameworks and best practices should consistently apply to applications no matter how they’re delivered.
8. Failing to create a ‘rearview mirror’ for audit and compliance – failure to identify and approach for capturing an audit trail of access, usage, user change and permissions history.  Though delivered by a 3^rd party, companies are still responsible for implementing and enforcing access control policies, and for demonstrating it at audit time.
9. Forgetting about compliance reporting – wasting 20-30 executive hours each quarter to manually compile reports for internal or external compliance audits.  Forgetting to consider compliance reporting needs up front when evaluating SaaS vendors and overall SaaS/cloud strategy can be painful.
10. When in doubt, spending more – buying unnecessary subscription seats because of a lack of visibility to actual subscriptions and current usage.

We’d be interested in hearing what others are seeing and hearing in these areas as well…

Over the six weeks that I have been reporting on my experiences using Facebook, I have encountered issues surrounding the notion of friendship, cross-cultural communication, privacy and portrayal of my image online. In addition I have reflected on my behaviour as this technology has enabled me to monitor friends and join a persuasive fan group, enabling actions that would never have been possible before.

Friends

Social network(ing) sites (SNSs) are not only changing the way we communicate, but also the social norms surrounding our understanding and definition of friendship. The debate boyd & Ellison (2007) and Beer (2008) began has a long way to go as SNSs are more widely used across a broad range of age groups.

Most of the research I have cited in this blog is based on American research of young (15–30 year old) participants. There is a lack of research on Facebook members over this age. This is primary due to the perception that social network(ing) sites attract younger participants; however, more studies are needed to investigate whether this is, in fact, the case. Research on the attitudes and habits of more mature users is likely to reveal differences in areas such as the notion of friendship, views on privacy and resulting behaviour online. In support of this argument, Barnes (2006) notes that “adults tend to use the Web as a supplement to real-world activities while teenagers tend to ignore the difference between life online and offline”.

If this is the case, it may be a fundamental flaw in Beer’s argument (2008) that online and offline shouldn’t be separated and identifies a need for studies to investigate use and attitudes across a range of age groups.

Language

While SNSs make it possible for users to get in touch with people they would otherwise not have the opportunity to communicate with, Friendship connections are stifled when people speak different languages. Sites like Facebook certainly make it easier to communicate with many people at once, easily overcoming the tyranny of distance; however cross cultural communication remains a challenge. Free translations websites have been around for many years, but they are not always accurate and are unable to manage variations in regional dialects. As a result, creating a truly global experience using this technology remains an opportunity.

Persuasion

The very nature of Facebook is about persuasion – to join, add Friends, share stories and photos, and to return again and again. More often, its level of influence is used one on one. However, SNSs also enable users to influence en mass in what Fogg (2008) calls ‘mass interpersonal persuasion’ (MIP). The potential for this use among ordinary[i] individuals is enormous and, I would argue, is only in its infancy.

Privacy

It is not unusual for technology to be ahead of the law, creating a minefield of privacy issues around SNSs like Facebook. In the same way, users don’t seem to be concerned about privacy on Facebook even though they express concern about privacy in general (Acquisti & Gross, 2006). Whether users are simply naive or unaware of potential threats is not altogether clear; however, their outrage after the launch of Facebook’s ‘News Feeds’ feature provides some insight into their attitudes and behaviour when they feel their privacy is violated (boyd, 2008).

Boyd (2008) explores whether the loss of control over our privacy is simply the cost of social convergence. She argues that privacy is not a right, but a privilege that must be protected and asks: “The question remains as to whether or not privacy is something that society wishes to support.” Is our need to connect stronger than our desire for privacy?

Technology is developing at a rapid pace, bringing about new features for SNSs. The experience from the launch of Facebook’s ‘News Feeds’ feature shows us that users may embrace these developments, but not at the expense of losing control over their privacy. Ironically, the same technology that threatens their privacy also gives users the power to object en mass.

Some photos appeared on my page today. One of my Friends who I worked with at McDonald’s long ago decided to put some photos of a group of us on her page. Because she tagged me in them, they also appeared on my page. I have two issues with this. Firstly, while the photos are not unsavoury in any way, I simply don’t want them on my page (that we’re all wearing pyjama-like uniforms may have something to do with it). Secondly, the lack of control over my own image and what appears on my page disturbs me. Can I delete these photos? And what does wanting to delete them say about me?

In exploring the current social uses of personal photography to examine the impact of camera phones, Gye explains the difference between the use of personal photography for self-expression and self-presentation. In discussing self-expression, she asks: “What do the photographs we take tell the world about who we are?” In relation to self-presentation, we could similarly ask: What do the photographs we choose to display or delete tell the world about who we are? Gye notes that photographs that are used for self-presentation “reflect the view of ourselves that we want to project into the world.” I clearly don’t want to be associated with my 15-year-old, ‘80s perm, striped-uniform wearing self.

Research conducted by Besmer & Lipford (2008) identified that privacy concerns about photo sharing were surprisingly not always about security but rather about “identity management within a user’s social circles. Interestingly, participants in this study mentioned the positive aspects of tagging in making them aware that photos of them have been posted online. As one participant commented: “What if [there are] pictures out there that you’re not tagged in? How do you know that the picture is out there…[?].”

So while being tagged is not always favourable, tagging at least presents users with some control over their image by making them aware of the photo in the first place.