Identity and Access Management Framework Book

ONE OF THE THINGS I REALLY HATE ABOUT FACEBOOK is how dumb it makes people. I already kinda knew that, and saw no personal reason to sign up. I only created an account because my wife and kids bugged me repeatedly until I did. I have never sent an invite to anyone, although I have accepted them. An old boss who’s actually a real slug reached out to me. So have a few other colleagues whom I’ve never really hung out with. To me, that’s what LinkedIn is for.

But from the very beginning, I’ve always managed to remember that, once I’m connected to someone, they can see whatever I post. And I don’t post much, but when I do, BANG, it’s out there. I’ve gotten friend invites from some younger folks, mostly neighbors and friends of my kids. These I tend to ignore, since an older gentleman such as myself, though suave and debonair and upstanding, being friends with a young kid on Facebook is downright creepy.

Anyway, it annoys the ^#&$^ out of me that people who should know better use UNBELIEVABLE language in their Facebook posts when they KNOW who all can see it. This includes even relatives. And it’s not just the language itself, but the application of that language, to describe behavior and bodily functions and other things that should go unmentioned in public. I regularly, privately remind people, “Your nephew/niece/DAUGHTER can see this stuff. What are you thinking?”

And so I fall back on that old chestnut, “Just because you CAN doesn’t mean you SHOULD.”

I also can’t believe the poorly thought-out stuff I’ve seen as far as security policies.

I once put in some auth/AZ software at a large manufacturer where the partner proceeded to custom-code SO many auth policies that it took up to a minute to log in. They put in FIFTY-SEVEN policies, to be exact. And then when it blew up in load testing, the partner screamed and said, “Boy, is the customer ever mad at YOU. Your product is dying. Get somebody in here, fast.” And when we found out it was their crappy custom code that was killing everything, I made those clowns write a check for our T&E to parachute in on a Saturday.

And I’ll beat this one up again. If a site doesn’t allow strong passwords, such as the use of special characters, it’s because they’re too lazy to put in logical defenses against SQL injection. Instead of banning the right characters, they just ban any non-alphanumerics.

And hosting security off-site, as in "Come to my domain, I'll send you to another domain to log in, then I'll see you right back here shortly," often results in REALLY lousy performance.

This is why policy decisions should be peer-reviewed, and why at least one person on any committee should be somebody who picks up a magazine once in a while to see what the rest of the world is thinking. Security, unlike bodily functions, is everybody’s business.



Years ago, I had a buddy who worked at an exchange. He was one of those ninnies who stood in the trading pit, screaming at the top of his lungs, buying and selling commodities. Open outcry, they call it. Open sewer, I called it, after meeting some of his sleazy colleagues, and watching from the gallery how barbaric capitalism can be.

Most of the traders had little or no college. Several I met hadn’t finished high school. But they could make ungodly amounts of money. All they had to do was stand shoulder to shoulder with a bunch of other soulless scumbags and scream, all day long.

Since there was no schooling or real training involved, I asked, how the hell do you get INTO this? My buddy told me, it was all about connections. He got into it through his uncle, who at one time had been a heroin addict. No kidding. The uncle had gotten in because of somebody else he knew.

I sometimes wonder about IT managers. I get asked some of the dumbest damn questions by security guys, and I wonder, “You make a lot of money doing this. Does your aunt own the company? Do you have naked pictures of somebody? Did the CSO lose a bet? Are you considered a charity case? You don’t seem to know anything about security, so I was just curious.”

At one joint, the security manager told me at the start, “We’re a Microsoft shop.” They had hordes of ungoverned AD groups, completely unsecured Sharepoint deployments, and they hadn’t passed a single security audit. Yet his burning desire was to implement SSO, for the sake of convenience.

“Okay, let’s talk about SSO,” I conceded.  “Does this mean web SSO?”

“What do you mean by that?” he asked.

“Browser based.”

“Oh. I guess so.”

I asked him about fat client SSO. He wanted to know what a “fat client” was. I mentioned client-server. Oh, that started a whole other conversation.

What he wanted by way of SSO was to log into a desktop, then move seamlessly to their cloud vendors. I said, “Oh, federation.” Which he’d heard of, but couldn’t really define. Just for laughs, I mentioned SAML. Deer in the headlights.

I asked, “How do you log in right now? What’s the mechanism? The interface?”

He replied, “Uh, just Windows.”

I asked, “Okay, just the Windows GINA?”

“GINA?”

This guy was in CHARGE. Holy crap, he was in charge. Now a software sales guy (meaning a guy who should have a pimp for an older brother, so he’ll have somebody to look up to), will say in a case like this, “These guys know nothing, I can sell them anything I want.” But from my experience, folks who are completely ignorant at least know what they don’t know, and will spend a lotta time getting educated before blowing a big chunk of budget. Therefore, stupid people take even longer to sell to.

Luckily, the vast majority of the time, security officers are intelligent, experienced, and know what questions to have. At the very least, they’ll be able to define their own inventory of pieces, including their missing pieces. Just like I married a smart woman, I’d much rather sell to smart customers.

Like my neighbor once told me, “I love my nephew to death. But I’d never HIRE The dummy.”

I think the issue is that security is a broad subject. Whenever recruiters call, they always say, “I’m looking for a security guy.” And I ask, “Do you mean network/perimeter, app sec, firewall, identity, authorization, compliance? Can you be more specific?”

So if you’re going to put somebody in charge of identity, make sure their background isn’t strictly tokens or firewall or some other niche. Identity and access should be their own specialty. It’s your enterprise, your identities, the keys to your assets. Don’t trust it to somebody who knows algebra, hoping he’ll pick up geometry on the job.



I recently read a story at CNN.COM in which the author quotes a study by the Georgia Institute of Technology in which researchers say we should all be using twelve-character passwords. They were able to crack a bunch of eight-character passwords in a couple of hours, but estimated it would take thousands of years to crack a bunch of twelvers.

The story quotes other security experts who say we should use entire sentences as passwords.

The one speck of sanity in the story says we should use special characters in our passwords.

Let me use a technical term here. That term is “dumbass.” Longer passwords are a dumbass idea. STRONG passwords are the way to go. Anybody who uses a full sentence as their password should not be allowed near a keyboard, since they’re likely to take down the whole Net by typing very stupid things into it.

Any non-dumbass IdM system in the world will foil the eight-char password brute force hack n multiple ways.

1)      Require strong passwords with a combo of alphanumeric, case-sensitivity, and special char’s.

2)      Allow a finite number of invalid attempts before freezing the account until 15-20 minutes passes, or an admin reactivates it

3)      Alert the admin of repeated bad attempts.

4)      Require password changes every X number of weeks or months.

This story purports to quote security “experts.” These are experts? Holy sh|t, Batman, we’re all in a lot of trouble.



In the last six months, I visited an organization that outsources literally dozens of their services. They have nearly twenty key services for which they create separate id’s, and for which they have no single sign-on (which is a whole other issue). I keep obsessing over this place, since I wonder if this IS the future. Payroll, HR management, healthcare, personal achievement, all the big functions are handled over the web. And okay, since it’s the term du jour, we’ll say over the Cloud. Gmail is called a cloud vendor now. Okay, fine.

Fast forward to a couple of weeks ago, and I was at a gathering where we discussed the matter of, should service providers also provide identity services as part of their offering? This gets really complicated.

My immediate answer is, unless a provider is THE identity source of truth, then NO, they should not provide IdM. They would keep enough of an identity to provide their current service, and that’s about it.

Here’s how it ought to work. Let’s say I work for MegaBigCorp. I get to my desktop each morning and authenticate. When I need to check on my health claims, or my 401K, I click a link, the home server generates a SAML assertion for me, and off I go. The provider gets the ticket, says “I know you, and I know what level of access you get, so come on in.” That simple.

So what does that provider need to know about me? Only as much as it needs to. My id, which it links to my role and therefore my access. My employer should be my source of truth, and share only what it needs to.

Another sticky bit is when the provider doesn’t even host what little IdM it does provide. The 401K guy manages the money, but uses another provider to manage security and identity. Ouch. The latency is often, as they say in the lab, sucky.

What’s supposed to drive a proper cloud relationship is federation. I log the user in, I hand you an assertion with identity and role and maybe a few choice attributes (or maybe YOU keep the attributes and look them up when I hand over the identity), and that’s the end. That’s why there’s a Ping Identity, or a Symplified, or an Oracle Identity Federation.

I’ve read various discussions on whether SaaS vendors should host identity. The correct answer is, they don’t need the liability, and they don’t necessarily have the smarts, so they should host their content, and leave identity to the originator who should own it.



The marketing braintrust here at the super-secret IAM organization has produced a cute little video showing me returning home from a meeting to my box of author's copies of my new book, "Designing an IAM Platform with the Oracle Identity and Access Management Suite." Check out the video HERE. I hope you like the song. My kids made fun of me for not knowing it. "Dad, you moron, it's the Black-Eyed Peas." The prophet is never loved in his own land, even if his book is going to help pay for somebody's college.