authentication and authorization of developers managing applications on the platform
single signon for developers with platform support sites
delegated authorization to partner applications and services
support for separation of duties for service to service access between platform components.
The UAA also allows us to seamlessly support external authentication services such SAML, OpenID2, — and, yes, even LDAP.
I’m pretty happy with how the harmonization turned out. Each protocol contributes specific, essential capabilities with very little overlap. The usefulness of the whole is greater than the sum of the parts. As we move forward, there are some areas of concern:
… make it easy to remember and hard to guess.
We spend so much time trying to reduce the need for passwords it’s easy to overlook that password management itself can be improved. Some months ago the Cloud Foundry identity team restructured our approach to password policy. Luke Taylor posted about it on the Cloud Foundry blog. The new approach is inspired by the famous xkcd cartoon which uses “correcthorsebatterystaple”. We don’t require specific punctuation, case or length. No stupid rules. We dynamically check the password as you type and update a password strength score using an algorithm and open source project also inspired by the xkcd comic. The dynamic feedback is quite intuitive. I’ve quickly learned what makes a strong password — and it’s not an underscore or using a number that looks like a letter. My password lengths have greatly increased but they are much easier to remember. Continue reading "If you must have a password…"
Photo of turtles on the VMware campus courtesy of Yvonne Wong, recruiter extraordinaire.
Most of us on the Cloud Foundry identity team have been working together for just over a year. We work with a rather interesting group that leads the larger open source community that builds Cloud Foundry.
On the identity team we’ve been working to evolve Cloud Foundry’s user authentication and authorization system into a full suite of identity services — open source and built on open standards. We’ve built some cool stuff. We are now starting to publicize what we’ve built and more actively engage with the community. Our team consists of veteran SpringSourceleadersDavid Syer (@david_syer) and Luke Taylor in the UK, with Joel D’sa, Vidya Valmikinathan and me in Palo Alto.
Dave started us off with 3 solid blog posts for the cloudfoundry.org blog explaining our use Continue reading "Turtles all the way down"
Wow. I would have thought that after the years of publicity describing the evils of the password anti-pattern, it would not be seen in any current web site that is serious about security. Today, I tried to link an etrade account to a checking account at another institution. Here is part of the screen I got:
I wasn’t sure what it meant by “online login information”. I thought that perhaps they wanted me to reenter my etrade credentials for extra security at this step, but it seemed odd that they would do that in a box that says “powered by yodlee”. I wouldn’t want to give my etrade password to yodlee. So I checked the help bubble and got this:
“Please enter the login information for the bank your external account is at”.
About 18 months ago, Julie and I left family and friends and our long-time residence in Utah and move to California. It’s been a wild ride. We’re enjoying it now, but initially it was quite a shock. Here are some of the changes:
23 total years at Novell, last project: Novell Cloud Security Services (identity services)
Both of my regular readers have pointed out to me that my abysmally low blog posting frequency has recently sagged. That has been somewhat due to the state of my current project, Novell Cloud Security Services (NCSS). NCSS was released last August, and since then we have been working with current and prospective customers to make sure it’s what they need, and to enhance it as usage of the cloud evolves. That has meant a lot of travel and meetings for me — much of which I can’t blog about. However, sometimes I am involved in events that allow said loyal readers to see what I do. One such event was last week.
Last week I attended the Cloud Connect conference in Santa Clara. As I arrived at the conference about an hour late, I got a message from my colleague Gary Ardito that a camera crew was there waiting Continue reading "NCSS Demo at Cloud Connect"
I have referred to my childrennumerous timesin this blog. For some reason, their adventures are often rather technology focused – but this post is not about technology. It’s about the sheer techie coolness of my daughter being seen in a post on TechCrunch.
My oldest son recently started working for a new company called Instructure. I’m not sure I agree with a company strategy that defines itself by it’s competition, but they have certainly made a splash by announcing that they are specifically attempting to dislodge Blackboard as the leader in learning management software. They’ve taken some interesting approaches to grab attention and market share such as releasing the core product as open source. There are a number of solid strategic reasons to do that – but (again) this post is not about technology.
Instructure’s recent emergence in the market, their intriguing strategic moves, and some significant early Continue reading "My Daughter Appears in an Arrington Post on TechCrunch"
A few weeks ago I had a great conversation with Matt Grant over at the Trusted Cloud Initiative. It was a lively conversation and Matt did a great job of turning it into a blog post. I’m not sure if I ever stated the main point of our conversation as succinctly as Matt captured it in the title, but he nailed it: “Hosters Need to Think about Identity as a Platform Play”.
When I read it today I noticed one idea I’d like to clarify a bit. The post contains this paragraph:
You see, people can move an application from one host to another without much trouble. The hosters want to be able to hold on to relationships with specific SaaS customers and the idea of identity services is one of the stickiest things possible. Why? Because where people have their user accounts is a very sticky Continue reading "Further into Identity as a Platform Play"
I’ve had many conversations with Dave Kearns over the years in hallways, a few beer halls, and conference panel discussions at events like the Internet Identity Workshop and the European Identity Conference. The conversations have been lively and often pushed my thinking in new directions. We’ve followed a similar path from the directory services of the 90s to Internet identity systems, and now on to cloud computing as it accelerates the adoption of identity services and the identity provider model.
In a recent newsletter Dave riffs on my presentation at the European Identity Conference and then concludes with this paragraph:
“The cloud is a reality. Cloud-based computing is a reality. Platform-as-a-service, application-as-a-service and, yes, identity-as-a-service will soon be as pervasive as client-server computing became in the last century. This will mean fundamental changes in the ways we think about identity and security. Get on that train, or be left at Continue reading "Identity and Security on the Cloud Train"