Anil John

Reality of XACML PEP-PDP Interoperability

Anil John — Sun, 28 Sep 2008 04:11:50 GMT

What is the current state of interoperability between XACML PEPs and PDPs from different vendors? I am currently looking to see if there is a consistent implementation of PDP interfaces among the multiple Fine Grained Authorization/Entitlement vendors such that I can point a XACML PEP from one vendor to the XACML PDP of multiple vendors and not have to do custom integration to make it work.

Back in February 2007, Burton Group issued a challenge to the the industry to demonstrate interoperability of XACML. Some of the questions they asked were "Can enterprises really mix and match policy administration points (PAPs), policy decision points (PDPs), and policy enforcement points (PEPs) from different vendors? Is the XACML RBAC Profile practical? Or will we find that different interpretations of the specification yield less than satisfactory levels of interoperability?"

The industry responded, via the OASIS XACML TC, in June 2007 by having the first XACML Interoperability Demo at the Burton Group Catalyst conference. There were two particular use cases in this demo, which required interoperability between vendor implementations of PEPs, PDPs and PAPs:

Authorization Decision Request/Response
Policy Exchange

I am particularly interested in the first scenario and in looking at the interop scenario document, it would appear that some specific choices were made in order to make this work:

Implementation of the XACML Interface of the PDP as a SOAP Interface which accepts a XACMLAuthzDecisionQuery and returns a XACMLAuthzDecisionStatement which are contained in the SOAP body.
Use of the SAML 2.0 Profile for XACML 2.0 which defines a Request/Response mechanism for carrying xacml-context:Request and xacml-context:Response elements.

In effect, what you ended up with in order to make this work is the implementation of a standardized SOAP interface that adhered to the following Request/Response (Taken from the interop scenario document):

Sample SOAP SAML XACML Request wrapper:

Sample SOAP SAML XACML Response wrapper:

I attended this event and remember coming away impressed at the results while simultaneously amused at some of the coding heroics of the vendors who, if I remember correctly, in some cases had very short time frames to work with.

It has now been more than a year since this interop event and at this point I have a very simple question for the vendors in this space "Who among you actually implement this interoperable interface specification in your current shipping product?"

From what I see to date (and I am more than happy to be corrected on this point) is that while many vendors claim conformance and implementation of the XACML 2.0 standard, their PDP interfaces are still proprietary and unique. Oh, don't get me wrong, these interfaces may be implemented using web services etc. BUT each web service implementation is unique and special to that vendor and does not follow any consistent interface specification and as such is an integration exercise that is left up to implementers if you have PEPs from multiple vendors. e.g. XML Security Gateways or Software PEPs from multiple vendors which need to talk to a XACML PDP.

del.icio.us Tags: XACML,PEP,PDP,Interop

Technorati Tags: XACML,PEP,PDP,Interop

These are solely my opinions and do not represent the thoughts, intentions, plans or strategies of any third party, including my employer, except where explicitly stated. This work is licensed under a Creative Commons Attribution 3.0 License.

Information Disclosure Threats and Web Services

Anil John — Sun, 21 Sep 2008 19:09:18 GMT

In the physical world, when an attacker is preparing to assassinate someone or bomb a target, the first thing that they will do is to determine how best to set up that attack. The phrase used to describe the initial phase of the set-up is called 'pre-operational surveillance'.

Unfortunately, the default configuration of most web services allow a potential attacker to do the digital equivalent of pre-operational surveillance very easily. In the digital world, these type of threats are often classified under the category of 'Information Disclosure Threats'. There are two in particular (there are more) that I would like to call attention to:

SOAP Fault Error Messages
WSDL Scanning/Foot-Printing/Enumeration

1. SOAP Fault Error Messages

All too often, detailed fault messages can provide information about the web service or the back-end resources used by that web service. In fact, one of the favorite tactic of attackers is to try to deliberately cause an exception or fault in a web service in the hope that sensitive information such as connection strings, stack traces and other information may end up in the SOAP fault. Mark O'Neill has a recent blog entry 'SOAP Faults - Too much information' in which he points to a vulnerability assessment that his company did of a bank that provided information that enabled an attacker to understand the infrastructure the bank was running and presumably allowed them to further tailor the attack.

The typical mitigation for this type of information disclosure is the implementation of the 'Exception Shielding Pattern' as noted in the Patterns & Practices Book 'Web Service Security' [Free PDF Version] which can be used to "Return only those exceptions to the client that have been sanitized or exceptions that are safe by design. Exceptions that are safe by design do not contain sensitive information in the exception message, and they do not contain a detailed stack trace, either of which might reveal sensitive information about the Web service's inner workings." (FULL DISCLOSURE: I was an external, unpaid, technical reviewer of this book).

You can either implement this pattern in software or use a hardware device like a XML Security Gateway to implement this pattern. Mark utilized a Vordel Security GW, but this is something that can be implemented by all devices in this category. I have direct experience with Layer 7 as well as Cisco/Reactivity Gateways and happen to know that they support this functionality and I don't doubt that IBM/DataPower and others in this space support it as well.

Note that this does not imply that the error's that happen are not caught or addressed but simply that they are not propagated to an end-user.

2. WSDL Scanning/Foot-Printing/Enumeration

Appendix A of 'NIST 800-95: Guide to Secure Web Services' provides a listing of common attacks against web services, and you will note that there are many references to the information that can be found in a WSDL that can lend itself to a variety of attacks including Reconnaissance Attacks, WSDL Scanning, Schema Poisoning and more.

And in the 'Security Concepts, Challenges, and Design Considerations for Web Services Integration' article at the "Build Security In" web site sponsored by the DHS National Cyber Security Division, it notes that "An attacker may footprint a system’s data types and operations based on information stored in WSDL, since the WSDL may be published without a high degree of security. For example, in a world-readable registry, the method’s interface is exposed. WSDL is the interface to the web services. WSDL contains the message exchange pattern, types, values, methods, and parameters that are available to the service requester. An attacker may use this information to gain knowledge about the system and to craft attacks against the service directly and the system in general."

The type of information found in a WSDL, and which can be obtained simply by appending a ?WSDL to the end of a service endpoint URL, can be an extremely useful source of info for an attacker seeking to exploit a weakness in a service, and as such should not be provided or simply turned off.

There are multiple ways of mitigating this type of an attack which include turning off the automatic ?WSDL generation at the SOAP stack application level or by the configuring the intermediary that is protecting the service end-point. For example, most XML Security Gateway's by default turn off the ability to query the ?WSDL on a service end-point.

I consider this to be a very good default.

When this option is implemented, there are often a variety of questions that come up that I would like a take a quick moment to address.

Q. If you turn off the automatic WSDL generation capabilities (i.e. ?WSDL) how are developers supposed to implement a client that invokes the web service?

There are two ways. (1) Publish the WSDL and the associates XML Schema and Policy files in an Enterprise Registry/Repository that has the appropriate Access Control Mechanisms on it so that a developer can obtain a copy of the WSDL/Schema/Policy Documents at design time. (2) Provide the WSDL/Schema/Policy files out of band (e.g. Zip File, At a protected web site) to the developer.

Oh yes, there is always the run-time binding question that comes up here as well. What I will say is that run-time binding does not mean "run time proxy generation + dynamic UI code generation + glue code" but simply that the client side proxy and the associated UI and glue code are generated at design time, but that the end-point that the client points to may be a dynamic lookup from a UDDI compliant Registry. I've done this before and this does not require any run-time lookup of a web service's WSDL.

There is an additional benefit to this method as well. Have you ever gone through the process of defining a WSDL and Schema using best practices for web services interoperability, implemented a service using that WSDL and Schema, and then looked at the auto-generated WSDL? You may be surprised to find that the automatic generated WSDL may be in a majority of cases is not as clean or easy to follow and in some cases may indeed be wrong. The best practice for developing interoperable web services recommends following a contract-first approach. This requires that the "contract" i.e. the WSDL and the Schema to be something that is developed with a great deal of care given to interoperability. Since the automatic generation of WSDL is platform-specific, there is always the possibility of some platform-specific artifacts ending up in the contract documents, which is not what you intended to happen.

Q. What about those existing/legacy services that do a run time lookup? Won't those break?

The question that needs to be asked at this point is why these services are doing a run time lookup, is there value being added by this capability in this client, and are there alternatives that will enable the client to provide the same functionality without compromising security?

As an example take the case of a BEA Weblogic client. If you will look at the documentation that BEA provides on building a Dynamic client you will note that they provide two different approaches, one that uses a dynamic WSDL lookup and another that does not. The interesting thing about this is that the approach that uses the WSDL makes a run-time lookup of a Web Service's WSDL which will end up breaking if the ?WSDL functionality is turned off. But the alternative approach of building a dynamic client provides the same functionality without the run-time WSDL lookup.

From what I can see, from a functional perspective there is no difference between the two approaches and given that one of the things that you want to do when developing web services, or any software for that matter, is to minimize the number of external dependencies, I would choose the second option of NOT doing a run-time WSDL lookup in this particular case. What is regrettable in this case is that it appears that the default configuration in BEA's tooling is to use the run-time WSDL option (Or so I have been informed), which leads to issues when folks who choose the default options with their tools develop the clients.

Mitigating these information disclosure threats requires both developers and operational support folks to understand their shared responsibility for security. Developer's need to understand that security should be part of the software development lifecycle and is not something that is bolted on at the end or is 'thrown over the wall' for someone else to take care of. Operational folks need to understand that a layered defense in depth strategy is needed and that secure coding practices of developers are an essential component of any operational environment. In particular the mentality of "Firewalls and SSL will save us all" needs to change for all parties concerned.

del.icio.us Tags: information-disclosure,web-services,WSDL-Scanning

Technorati Tags: information-disclosure,web-services,WSDL-Scanning

Digital Identity World 2008 Recap

Anil John — Sat, 13 Sep 2008 20:43:32 GMT

Digital ID World 2008 is the first IdM conference that I've gone to as part of a team, and given the variety of breakout sessions we decided early on to use the divide and conquer approach based on our areas of interest and expertise.

The following are some highlights on some (not all) of the sessions that I attended and found to be interesting. As with a lot of conferences, there were some sessions that were pretty much disguised vendor pitches which I am not even going to bother with a mention.

Keynote - Identity Assurance: A Backbone For The Identity Marketplace
by Peter Alterman - GSA, Andrew Nash - PayPal, Frank Villavicencio - Citigroup

In some ways this was rehash of the panel on the same topic that was moderated by Mark Diodati at Burton Catalyst but with the addition of Peter Alterman of the GSA, who tends to add a certain amount of ...ah... flair to the conversation :-)

The intent of the Liberty Identity Assurance Framework (IAF) is to develop a framework that leverages the existing work that has been done by EAP, tScheme, US e-Auth etc. to generate an identity assurance standard that is technology agnostic but provides a consistent way of of defining identity credential policy and the process and policy rule set etc. The IAF consists of four parts (1) Assurance Levels (2) Assessment Criteria (3) Accreditation and Certification Model and (4) Business Rules. You can find out more about it on the IAF Section of the Liberty Alliance Web Site.

What interested me about the entire conversation was the leveraging of OMB M-04-04 and NIST 800-63 to define the assurance criteria but the drive to make a "Liberty Alliance IAF Assurance Token" (if you will) that will be certified to mean the same thing across federations. Mr. Alterman also noted, and I hope that I interpreted this correctly, that the intent from the GSA side would be to not re-invent the wheel but to adopt this IAF framework going forward. He spoke of current inter-federation work he is involved in between NIH and the InCommon Federation that is leveraging this.

During the Q&A session, I brought up the fact that this work is directly focused on AuthN but in general, access to resources is granted based on a variety of factors, only one of which is the strength and assurance of the authentication token. The response is that the Liberty work is deliberately focusing on the AuthN and considers AuthZ to be out-of-scope for their work.

Keynote Presentation: State Of The Industry
by Jamie Lewis - Burton Group

Enterprise IdM is the set of business processes, and a supporting infrastructure, that provides identity-based access control to systems and resources in accordance with established policies.

Business trends are driving integration across processes and folks are being asked to do more with less.

SaaS is gaining momentum
Many failures in IdM projects caused by a lack of doing homework and a belief in the silver bullet product etc.
People manage risk, not products.
IdM is a means and not an end; It is about enabling capabilities and not an end in itself.
The Identity Big Bang is around new ways of working, collaborating and communicating
Make every project an installment on the Architecture and scope the goals to around 3 years.
Always think about data linking and cleansing

That was the first half of the keynote, but the second half was something I found to be very fascinating and is based on work that Burton has been proposing around the idea of a "Relationship Layer for the Web"

AuthN and AuthZ are necessary but not sufficient

Centrism of any kind does NOT work

Lessons from social science on trust, reciprocity, reputation etc.

The future of identity is relationships

Difference between close and distant relationships; Able to make many observations in a close relationship, so able to get good identity information. Not so for distant relationships

A good relationship provides value to all parties. And it is not just about rights but also obligations

Values like privacy etc. require awareness of relationship context

Systems fail if they are not "relationship-aware"

Difference between Custodial, Contextual and Transactional identities.
-- Custodial Identity is directly maintained by an org and a person has a direct relationship with the org.
-- Contextual identity is something you get from another party but there are rules associated with how that identity can be used.
-- Transactional identity is just the limited amount of info that an RP (?) gets to complete a transaction e.g. Ability to buy alcohol requires a person to be over 18 (?) but in a transactional relationship, you would simply ask the question of "Is this person old enough to buy alcohol?" and the answer would come back as "Yes/No". Compare this to a question of "What is this person's age or birthday?" which releases a lot more info.

The last type of identity in effect requires the existence of what Burton Calls an "Identity Oracle" (See Bob Blakley's blog entries) that has a primary and trusted relationship with a user as well as with relying party and can stand behind (from a legal and liability perspective) the transactional identity statements that it makes.

I found this entire topic absolutely fascinating as this is so very relevant to a lot of the work that I do around information sharing across organizations that may or may not trust each other for a variety of (sometimes very valid) reasons. Will be actively tracking this area on an ongoing basis.

The Plot To Kill Identity
by Pamela Dingle - Nulli Secundus

I really enjoyed this session by Pamela on the disconnect that currently exists between the needs of the users, what is being asked of the application vendors and the lack of a common vocabulary to express our needs such that there is a change in the same old way of doing business.

Need for an effort to be consistent all the way at the RFP/RFI time

Need a common vocabulary when requesting capability from vendors

Start with: Provide and Rely support i.e. the ability to choose whether or not a product relies on external identity services or provides its own.

Pamela also had a great starting set of RFI type questions one can use.. I am hoping that she will post them on her blog.

One of the questions I brought up during the Q&A session was that if I bought in to the Kool-Aid of what she discussed during the presentation (and I do), what would it take to scale the conversation to a larger audience? Bob Blakley, who was also in the audience, chimed in and noted that if Pamela wrote up a white-paper on the topic, he would help her get it published and widely distributed as well.

I would also be very interested in expanding the scope of the sample RFI questions to be grouped by product/project category (and released under an open licence; Creative Commons?) so that folks like me can use them in our RFP/RFIs as well.

There were more sessions that I attended that were interesting such as the Concordia Workshop on "Bootstrapping Identity Protocols: A Look At Integrating OpenID, ID-WSF, WS-Trust And SAML", "Using An Identity Capable Platform To Enhance Cardspace Interactions" and more..

All in all, beyond the sessions themselves, the hall-way conversations and the connections made to be as valuable (or even more so) than just the sessions themselves. I know that I found and made connections with multiple folks who work in my community and am very much looking forward to future collaborations with them and others.

del.icio.us Tags: Identity-Management,DIDW2008

Technorati Tags: Identity-Management,DIDW2008

Attending Digital ID World 2008

Anil John — Sun, 07 Sep 2008 21:13:35 GMT

I am off next week to Anaheim, with the rest of my team, to attend Digital ID World 2008. Very much looking forward to the event given its packed agenda as well as some already scheduled side-bar meetings.

This looks like it is going to be another one of my usual business trips that combines visiting some of the nicest/most-scenic cities on the North American Continent and spending all the time indoors in window-less conference sessions, which in turn leaves you with absolutely no time for any site-seeing :-)

del.icio.us Tags: Identity-Management,DIDW2008

Technorati Tags: Identity-Management,DIDW2008

Building a new Windows Vista compatible computer

Anil John — Sun, 07 Sep 2008 18:00:39 GMT

I recently came back from vacation to find that my primary desktop at home (a Dell Unit) was not booting up and the only indicator was a slowly blinking yellow power light.

After some investigation, it turned out that this was due to a bad power supply. On top of that, it appeared that the power supply fried the motherboard on its way to the land of no return. My first inclination was to buy another brand name computer. But in shopping around, I really was not happy with choices that were being offered, so decided to go the custom build route.

Although I have built multiple computers in the past, I have not been keeping up with the current hardware esoterica, so got some recommendations from folks at work that led to a pre-built list of computer parts through the SlickDeals forum. An additional criteria was that since I had a copy of Windows Vista Ultimate lying around that I still had not installed on any of my systems, and since Vista SP1 had come out, I wanted this to be a machine that was capable of running Vista.

It took me 2-3 hours to put the system together on a Saturday with the additional benefit that it was a cool thing to do with the kids.

I am happy to note that all of the parts work together seamlessly, have full Vista driver support and once Vista SP1 and all of the latest updates were installed, I have a very smooth running machine. While my Aero score was not at the top end, it still is enough to give me the full Aero experience with Vista (Per the Vista Help, the current base scores for the Windows Experience Index ranges from 1 to 5.9).

For those who are interested in building a very decently performing Vista compatible computer at a reasonable price, I have turned my list of parts into into a NewEgg Computer Wishlist for a Mid-Range Computer. My experience with this was very positive and I would recommend both the vendor as well as the parts.

del.icio.us Tags: Custom-Computer,Vista,NewEgg

Technorati Tags: Custom-Computer,Vista,NewEgg

The Many Principles of SOA

Anil John — Sun, 07 Sep 2008 16:14:13 GMT

Notes from an on-going online discussion to self, for use as a reference and for discussion:

"SOA is an architectural style, and an architectural style is a set of principles. Gartner has enumerated five principles that constrain SOA:

modular
distributable
described
sharable
loosely coupled

To the degree a system exhibits all five, the more it qualifies as representing the SOA style"

- Nick Gall, Gartner

"SOA Principles of Service Design:

Service Contracts
Service Coupling
Service Abstraction
Service Reusability
Service Autonomy
Service Statelessness
Service Discoverability
Service Composability"

- Thomas Erl, SOA Principles of Service Design

"From my perspective, the overarching principle governing SOA is separation of concerns. This principle helps you determine how to factor functionality into services. Thomas Erl discusses service factoring and granularity in the SOA Fundamentals section of his book rather than treating SoC as a principle"

- Anne Thomas Manes, Burton Group

"The 4 tenets of Indigo as defined by Don Box, which has now been morphed into the Microsoft tenets of SOA:

Boundaries are explicit
Services are autonomous
Services share schema and contract, not class
Service compatibility is determined based on policy"

- Don Box, A Guide to Developing and Running Connected Systems with Indigo

"The 10 Principles of SOA, as expanded on the above 4 tenets, by Stefan Tilkov:

Explicit boundaries
Shared contract and schema, not class
Policy-driven
Autonomous
Wire formats, not programming language APIs
Document-oriented
Loosely coupled
Standards-compliant
Vendor-independent
Metadata-driven"

- Stefan Tilkov, innoQ

I've been using a combination of Anne's separation of concerns, Thomas Erl's principles and selected bits from the OASIS SOA-RM in the SOA class that I teach but the variations above look to be great fodder for some discussions!

del.icio.us Tags: SOA,Teaching

Technorati Tags: SOA,Teaching

Bloody Brilliant!

Anil John — Wed, 30 Apr 2008 02:14:07 GMT

Awesome! I hope this act wins!

del.icio.us tags: Desi

Technorati tags: Desi

The Zen of Identity Attributes

Anil John — Thu, 24 Apr 2008 14:21:26 GMT

Federating identities across information and security domains is not just a technical problem, and anyone who tells/sells you that it is, is not operating in a frame of reality that is conducive to success!

Please note that, for me, an implementation of an Identity Federation architecture takes into account both Authentication and Authorization as well as a host of other areas. As such I've always found it amusing to be informed (usually by a vendor) that this is a straight forward problem and that once I deploy [Insert technology / tool / product / magic pixie dust of choice here], we will have you "federating in no time". Ha!

We have been wrestling with this and at one of our working meetings recently, one of my team-mates came up with the following representation to describe the challenges of reaching agreement on what information needs to flow across federation boundaries, and what needs to be in place to accomplish it. Based on the same principle as the Boy Scout's triangle (heat, oxygen, fuel), you take away one side, and the entire Attribute Triangle (or as we call it, "Tom's Triangle", in honor of our team-mate who came up with it) collapses.

When you look at it, it seems so obvious and simplistic, but we have found value in thinking thinking about it in this manner. Organizational Policy determines the rules of the road. Those rules in turn are reflected in the choices of attributes and the agreements around their semantics. At the same time, you need to be assured that the agreed upon attributes are not things that you come up out of the blue but are instead drawn from trusted and authoritative sources in the Enterprise.

del.icio.us tags: Identity-Management, ABAC, Federated-Identity

Technorati tags: Identity-Management, ABAC, Federated-Identity

Metal on Target

Anil John — Sat, 19 Apr 2008 02:32:55 GMT

"... part of our job is to make deliveries of metal to deserving customers. Business is Good!"

An excerpt from a conversation with an Army Colonel.

del.icio.us tags: Military Humor

Technorati tags: Military Humor

National response to hazards and Identity Management

Anil John — Mon, 14 Apr 2008 02:07:28 GMT

GSA's USA Services/Intergovernmental Solutions sponsors monthly workshops around topics such as emergency preparedness, environmental monitoring, healthcare and law enforcement.

The upcoming "Exploring Identity Management: Global Landscape and Implications for Stakeholder Engagement Around the National Response Framework" session is focused on the implications of the "National Response Framework [PDF]" to Identity Management.

National Response Framework (NRF) is a guide to how the Nation conducts all-hazards response. It is built upon scalable, flexible, and adaptable coordinating structures to align key roles and responsibilities across the Nation, linking all levels of government, nongovernmental organizations, and the private sector. It is intended to capture specific authorities and best practices for managing incidents that range from the serious but purely local, to large-scale terrorist attacks or catastrophic natural disasters.

I had the opportunity to speak with both Susan Turnbull at the GSA as well as Dr. Duane Caneva, Director of Medical Preparedness at the White House Homeland Security Council, who are putting this event together, and came away impressed with their obvious passion in addressing this critical issue.

Basically, this is all about the technical, social and organizational infrastructure that needs to be in place to respond to a Katrina-like or Tsunami-like event. Identity Management is seen as an enabler in bringing the right people, the right resources and the right information together to help make a difference in responding to a crisis of this magnitude.

I also came away with an action item :-) to discuss with this community how some of the work that I am currently involved with could help out in this particular domain. The agenda looks pretty interesting and builds upon past events such as the IDTrust 2008 etc. Looking forward to this!

del.icio.us tags: Identity-Management, DHS, GSA, National Response Framework

Technorati tags: Identity-Management, DHS, GSA, National Response Framework

Wanted - Computer Systems Engineer Identity Management

Anil John — Sun, 06 Apr 2008 19:08:54 GMT

I typically don't do this, but this particular job opening in my organization is for someone that I will be directly working with. As such, it is in my best interest to make sure that the opening gets socialized to folks in the right communities so that I can continue to work with folks who are a whole lot smarter and more knowledgeable than I am :-)

So if you have a knowledge base that spans identity, security and privacy technologies, would like a job that has a direct impact on and enhances of the security of the nation, and would like to work in an environment that values your individual contributions to a kick-ass team, we are hiring!

Here are some of what I consider to be the relevant details of the job opening. The full description of the job, as well as how to apply for it, can be found on the official job requisition.

The ideal candidate will have a knowledge base that spans identity, security and privacy technologies as well as the ability to bridge the software development and computing infrastructure domains.

Duties:

Provide subject matter expertise in implementing identity and access control solutions in support of a variety of sponsors in the Government and Intelligence Communities. [...]

Maintain current knowledge of identity technologies in the commercial marketplace with an eye towards how it could be applied to sponsor needs. Expectation is that the candidate actively participates in the technical community [...]

Actively work to share knowledge and experience gained in external community participation and project work via participation in internal Communities of Practice, online forums [...]

Participate in standards organizations such as OASIS, W3C and others on behalf of JHU/APL in the creation and modification of standards [...]

Desired:

Self-motivated to learn and apply technology to solve problems

Ability to “Argue like you are right, Listen like you are wrong”

Self-starter who proactively searches for and obtains potential solutions to problems

Demonstrated experience with the implementation of identity solutions which may include:

Application of relevant standards such as SAML, XACML, WS-SX, etc.

Implementation and/or administration of directory services (LDAP etc) and/or Virtual Directory Capabilities,

Implementation and/or administration of PKI,

Implementation and/or administration of Web Access Management solutions

RBAC/ABAC

Full lifecycle implementation experience as related to an Identity Management Project

Required:

Demonstrated experience in one or more of the relevant areas of Identity, Security, and Privacy with an interest in focusing on the Identity Management area.

At least 5 years of increasingly complex software development with one or more of the major software platforms (i.e. .NET and/or JEE) and/or infrastructure experience with one or more major operating systems (i.e., *nix, Windows) in an Enterprise class environment

Awareness of the fundamental principles of Service Oriented Architecture

Must be eligible for US Department of Defense (DoD) clearance requiring background investigation and/or polygraph examination. [Please be aware that holding a U.S. Citizenship is part of the requirement for obtaining a security clearance]

[...]

If you are interested, apply via the official job site, but in addition, drop me a note that you have applied with your attached resume to my work e-mail (anil dot john -at- jhuapl dot edu), so that I can have it flagged internally and properly routed.

If you would simply like to find out more about the job, the work environment etc, or would like any clarifications before you take action, please feel free to contact me. Needless to say, if you know of someone else who would be interested, please pass the details on to them.

del.icio.us tags: Identity-Management, JHUAPL

Technorati tags: Identity-Management, JHUAPL

New Information Sharing Strategy for the DNI

Anil John — Sun, 06 Apr 2008 16:53:44 GMT

A new “Information Sharing Strategy” (PDF) from the Office of the Director of National Intelligence warns that traditional security practices that restrict disclosure of information have become counterproductive.

“The Intelligence Community’s ‘need to know’ culture, a necessity during the Cold War, is now a handicap that threatens our ability to uncover, respond, and protect against terrorism and other asymmetric threats,” the document declares.

The new Strategy defines information sharing goals and as well as near-term and long-term implementation objectives. Goals include uniform government-wide information policies, improved connectivity, and increased inter-agency collaboration.

Source: FAS Project on Government Secrecy

The document notes that in order to achieve their information sharing vision, the IC has "... adopted a new information sharing model, which is depicted in Figure 1:"

del.icio.us tags: ABAC, Net-Centric

Technorati tags: ABAC, Net-Centric

IEEE Security & Privacy on Identity Management

Anil John — Fri, 04 Apr 2008 22:12:35 GMT

Just picked up the current issue of IEEE Security & Privacy Magazine and it is full of Identity Management Goodness!

I'm Pc01002/SpringPeeper/ED288l.6; Who are You? by Susan Landau and Deirdre K. Mulligan
The Venn of Identity: Options and Issues in Federated Identity Management (Abstract) by Eve Maler and Drummond Reed
The Seven Flaws of Identity Management: Usability and Security Challenges (Abstract) by Rachna Dhamija and Lisa Dusseault
Biometrics in Identity Management Systems (Abstract) by James L. Wayman
Privacy and Identity Management (Abstract) by Marit Hansen, Ari Schwartz and Alissa Cooper
Identity Management, Privacy, and Price Discrimination (Abstract) by Alessandro Acquisti
Use Cases for Identity Management in E-Government (Abstract) by Robin McKenzie, Malcolm Crompton and Colin Wallis
Dynamic Security Assertion Markup Language: Simplifying Single Sign-On by Patrick Harding, Leif Johansson, and Nate Klingenstein

Looking forward to this read!

del.icio.us tags: Identity-Management, SAML, Privacy

Technorati tags: Identity-Management, SAML, Privacy