Identity and Access Management Framework Book

About three years ago, I did a pitch to a potential partner in Cleveland. Identity management, access management, single sign-on, the usual. The head guy there, Ken, liked the overall value proposition, except for SSO. He said that while plenty of their customers liked it, naturally, he himself was not a big fan. Internally, he told me, they didn’t believe in SSO at all. He said it made them less secure. Break one password, you’ve broken them all. And he was right. SSO is not a security value, it is user experience. It’s convenience. Customer service. Employee productivity. It can make various disconnected links look like they’re part of one big portal.

Fewer passwords mean less time getting locked out, I suppose. But it’s true: if you hack my SSO password, you’re into all my other accounts.

Increasingly I hear about RSO, or Reduced Sign On. Instead of remembering one password to sub for twenty, you remember, let’s say, three or four.

These days you can log into various websites, like HuffingtonPost or a number of political and news sites using your AOL or AIM creds, or even Faceboook or Twitter. Log into youtube, and it wants to link you up to their sister company. You can link all these accounts. I still haven’t taken up Yahoo on the offer to be my password valet, despite the less-hassle factor. I don’t live on any of these sites enough to care (although I see a handful of so-called adult professionals posting every damn sneeze and butt scratch on FB – grow up!).

And it’s not just somebody hacking a site. It’s your vault, the place where you stash your multiple id’s, your gateway info to the multiple apps and domains you hit. ESSO, OAM, and now Passlogix are how Oracle handles these various keys. They’re kept safe and secure. The scary part is, the bad guys know where they’re at. The less scary part is, that doesn’t mean they can get at them.

One of the cool things about federation is providing just enough info to a site that it lets me in, without having to let it look down my throat. It takes site to site trust, but if Site B trusts the Site A I just came from, I’m in good shape. That’s what I do NOT like about how it’s being handled out there on the web. I recently wanted to comment on a site where idiots insisted Barack Obama was born in Kenya. I could authenticate with my Facebook creds, but the site wanted me to allow them to grab all my FB profile info. I declined, and therefore left them to wallow in their redneck ignorance.

There’s a little white lie in my IAM book. I tell of a story in which a guy used as his password the vulgar nickname he had for his dog. In fact, it was the vulgar nickname he had for his wife. He was, indeed, a scumbag. But McGraw-Hill asked that I change the story to be a little friendlier Regardless, it was something he could remember.

I keep in my head not one, but a half-dozen strong passwords, combos of upper/lower, numeric and special character strings of a reasonable size. When one expires, I move to the next. These serve me well, and if I forget which one I used at a particular site, I cough up one of the others, and I’m in. Takes a wee bit longer, but RSO is definitely a safer way to go. Especially since my wife only goes by one name, and she likes it like that.