Anyone remotely interested in identity management should definitely download a copy of the National Strategy for Trusted Identities in Cyberspace (NSTIC) document. It can be found at this link: .
A a very high level, the strategy calls for the formation of a standards-based interoperable identity ecosystem to establish trusted relationships between users, organizations, devices, and network services. The proposed identity ecosystem is composed of 3 layers: An execution layer for conducting transactions, a management layer for identity policy management and enforcement, and a governance layer that establishes and oversees the rules over the entire ecosystem.
There is way more detail that is far beyond this blog but suffice it to say the document is well thought out and pretty comprehensive in terms of its vision. This is exactly the kind of identity future we need to make cloud computing a reality. Kudos to Federal Cyber coordinator Howard Schmidt and his staff for kicking this off.
I will post my feedback on the official website, but a few of my suggestions are as follows:
There will be lots of other needs as well. The document recommends identity and trust up and down the technology stack but it doesn’t talk about the expense or complexity of implementing more global use of IPSEC, BGPSEC, and DNSSEC. There is also the need for rapid maturity in encryption, key management, and certificate management. Good news for RSA, PGP, nCipher (Thales), IBM, HP, Venafi, and others.
The key to me is building a federated, plug-and-play, distributed identity ecosystem that doesn’t rely on any central authority or massive identity repository. This is an ambitious goal but one that can be achieved — over time — if the Feds get the right players on board and push everyone in the same direction.
Tags: BGPSEC, CA, Cyber Coordinator, DNSSEC, Federal Government, Howard Schmidt, HP, IBM, IPSec, Liberty, Microsoft, Microsoft Geneva, National Strategy for Trusted Identities in Cyberspace. nCipher, Novell, NSTIC, Open ID, Oracle, PGP, PKI, Project Higgins, RSA, Shibboleth, Symantec, Thales, Venafi, Verisign, Web services Posted in Uncategorized |
Symantec’s acquisition of the Verisign security assets closed earlier this week. This frees Symantec to tell the world what it bought and the role the Verisign services play.
Good thing. Symantec caught a lot of flack for buying a legacy SSL certificates business. In truth, this deal could be much more–a SaaS authentication and PKI offering to broker trust relationships in B2C and B2B transactions.
I believe this could be a very good acquisition, but Symantec can’t assume that anyone other than PKI nerds understand this. To satisfy Wall Street and maximize the ROI on this deal, Symantec must:
Symantec needs to prove to the market (and especially Wall Street) that it can back vision and money with execution. The Verisign deal was fairly significant, around $1.2 billion. Symantec needs to execute ASAP to demonstrate that this deal was well thought out and that the money was well spent.
Tags: PKI, SSL, Symantec, Verisign, X.509 Posted in Uncategorized | No Comments »
Today, Symantec announced that it is acquiring two encryption companies: GuardianEdge and PGP. Some will see this as a late counter-punch to Check Point‘s acquisition of PointSec, McAfee‘s acquisition of SafeBoot, and Sophos‘s acquisition of Utimaco. In other words, Symantec is finally getting in the full-disk encryption game, primarily on laptops.
Wrong interpretation. Symantec does get endpoint encryption technology, but there is a lot more here than meets the eye. In my humble opinion, Symantec also gets:
In the next few years, large organizations will realize that encryption technologies have become ubiquitous across the enterprise with no central management. This could be a real problem for data restoration, especially in a disaster recovery situation. At that point, they will look for partners to bring order, processes, and central control to this chaos. As of today, Symantec is extremely well positioned for this burgeoning–and extremely critical–market opportunity.
Tags: Check Point, Chosen Security, encryption, GuardianEdge, IEEE, KMIP, McAfee, PGP, PKI, Symantec Posted in Uncategorized | No Comments »
Today, PGP announced that it plans to acquire TC Trust Center and ChosenSecurity. Never heard of them? You are not alone. Basically, TC TrustCenter and ChosenSecurity provide Software-as-a-Service (SaaS) for Internet-based trust relationships.
Okay, some of you may think that this is simply a way to spin PKI (public key infrastructure) into marketing-speak and you are right to some extent. Why bury the PKI lead? Unfortunately, there is stigma around PKI that has lingered for years. In the past, few applications supported PKI and enterprise PKI servers were simply too difficult to install and manage. Yes, security professionals understand the benefits of PKI, but they were scared to death of it thanks to implementation, customization, and administration horror stories.
TC TrustCenter and ChosenSecurity didn’t change PKI, they simply mastered it and made it virtually transparent to customers. As a result, PKI can be embedded into applications, identities, and systems as a service.
To me, this acquisition has upside potential for PGP far beyond existing business growth because:
I could go on and on, but I won’t. I’ve always been one of few fans of PKI, so PKI as a service brings out the excitable geek in me. Obviously, some of the folks at PGP share this enthusiasm.
Tags: Cloud Computing, Federal Government, PGP, PKI, SaaS Posted in Uncategorized | No Comments »
While the technology industry is ga-ga over Cloud Computing, corporate CIOs seem less enthused. Early indications from ESG’s 2010 IT Spending survey indicate that cloud computing initiatives and priorities are near the bottom of the list. Why? Security and compliance concerns, lack of control, and technology immaturity top the list of issues.
So does this mean that cloud computing will be a no-show in 2010? Not at all. Cloud computing won’t gain widespread deployment, but we will see pockets of interest from bleeding edge companies and vertical industries. After doing some preliminary primary research, I believe that education will be one industry where cloud computing is poised to take off. Why?
In addition to these factors, universities are notoriously lean when it comes to IT, therefore provisioning a service/application makes a lot more sense than provisioning IT technology infrastructure and then provisioning a service/application.
Finally, cloud computing will not be limited to higher education alone — actually, it is a perfect fit for K-12 as well. States could establish and run central cloud computing services for schools, eliminate the need for local IT and tech support, and level the playing computing field between rich and poor school districts.
In summary, cloud computing infrastructure, platforms, and applications fit education like a glove. Universities are already on board, so expect some of the most aggressive and creative cloud implementations to be based on campus. State and local governments that can overcome the political and compliance boundaries around cloud computing will also become leaders in cloud computing deployment and likely progressive educational programs as well.
Tags: Cloud Computing, InCommon, PKI, SAML, XACML Posted in Uncategorized | No Comments »
Your email: