In Cloud-Friendly Web Services Security, "There Is No Enterprise." Wait. What?

"There is no enterprise -- the work we do is a collection of people that dynamically changes through a mix of organization control." That's what I heard from one venerable old construction company while working on my new research report, Protecting Enterprise APIs With A Light Touch. I wanted to investigate how enterprises are using and securing lightweight RESTful web services, and in particular to figure out the problems for which OAuth is well suited. (You might recall my request for feedback in a prior post.)

What I found was that forward-thinking enterprises of many types - not just hip-happenin' Web 2.0 companies - are pushing service security and access management to the limit in environments that can truly be called "Zero Trust," to use John Kindervag's excellent formulation. This particular firm dynamically manipulates authorizations to control access to a variety of innovative lightweight APIs on which the whole company is being run, not actually distinguishing between "internal" and "external" users. They've kind of turned themselves inside-out.

No more chewy centers, indeed. And OAuth is playing an increasing role in a variety of business scenarios, from B2B to identity federation to variants on classic SOA security, wherever light weight and agility are prized. I hope you'll get a chance to check out the report to see my recommendations for using OAuth effectively in whisper-light app environments, and weigh in here with your thoughts.

Participating In Markets For Portable Identities In The Cloud: What’s The Coin Of Your Realm?

Many IT security pros are moving toward disruptive new authentication and authorization practices to integrate securely with cloud apps at scale. If you're considering such a move yourself, check out my new report, The "Venn" of Federated Identity. It describes the potential cost, risk, efficiency, and agility benefits when users can travel around to different apps, reusing the same identity for login.

Aggregate sources of identities are large enough now to attract significant relying-party application "customers" - but the common currency for identity data exchange varies depending on whether the source is an enterprise representing its (current or even former) workforce, a large Web player representing millions of users, or other types of identity providers. These days, the SAML, OAuth, and OpenID technologies are the hard currencies you'll need to use when you participate in these identity markets. You can use this report to start matching what's out there to your business scenarios, so you can get going with confidence.

Identity Assurance Means Never Having To Say “Who Are You, Again?”

A decade after launching the SAML standard and seeing its, shall we say, stately pace of adoption, it's wild to see real single sign-on and federated attribute sharing starting to take off for social networking, retail sites, online gaming, and more -- not to mention seeing the US government starting to consume private-sector identities on citizen-facing websites.

Last week, we published a report on Outsourcing Identity Assurance. In it, I examine this "Government 2.0" effort, including the National Strategy for Trusted Identities in Cyberspace (NSTIC), and its innovations around identity assurance, and the confidence you can have in the real-world verification of the identity you've been given by an identity provider. We're predicting you'll see new Web 2.0-ish ways to outsource identity verification in the coming three years, driven by use cases like e-prescribing, high-value eCommerce, and even online dating.

But perhaps the US government's four convenient "levels of assurance" (LOAs), which tie strong authentication to strong identity proofing, don't apply to every use case under the sun. On the recent teleconference where I discussed these findings, we ended up looking at the example of World of Warcraft, which offers strong authentication but had to back off strong proofing. And over the weekend, I had a great back-and-forth with Stephen Wilson and others in the Twittersphere over the applicability of LOAs to financial Know Your Customer programs.

CardSpace Is Dead. Long Live Back-Channel Access.

Microsoft announced during last week's RSA conference that it would not be shipping Windows CardSpace 2.0. A lot of design imperatives weighed on that one deliverable: security, privacy, usability, bridging the enterprise and consumer identity worlds - and being the standard-bearer of the "identity metasystem" and the "laws of identity" to boot. Something had to give. What are the implications for security and risk professionals?

The CardSpace model had nice phishing resistance properties that cloud-based identity selectors will find hard to replicate, alas. But without wide adoption on the open Web, that wasn't going to make a dent anyway. We'll have to look for other native-app solutions over time for that.