Like last year, Cloud Identity Summit was a hive of activity, a very high concentration of people doing important identity work.
The intro party featured a once in a 2-3 years thunder and lightning show, which is all the more impressive at 9,300 feet elevation, and one of my favorite tweets
I taught a Cloud Security class the first day on Cloud Threats, Countermeasures and Security Patterns. On the day the conference my intro keynote was sandwiched between two of my favorite people, Andre Durand who spoke on unintended consequences, and Patrick Harding who pressed the need for standards. Patrick said "Cloud providers should remove password requirement, expect standard token instead"; I could not agree more.
My talk was 9 Things - Capabilities and Constraints for Identity & Security Architecture. ANd I talked about the limitations of the current infosec architecture in dealing with CLoud, Social and Mobile with some ideas on how to improve via patterns - Gateway, Monitoring, STS, PEP/PDP.
Microsoft's John Shewchuk called XACML a great starting point but also needs claims transformation via STS. I certainly agree, I see the STS as a critical glue for Cloud applications.
Bob Blakley summarized his to password rules "1. pick something you cant remember and 2. dont write it down"
Jeremy Grant from NIST - "We think the password is fundamentally insecure and needs to be shot." +1 from me
Farhang Kassaei closed the day with the intersection of Identity and eCommerce, looking at commercial aspects such as for a merchant identity is On boarding, personalization, transaction.
Chuck Mortimore said that at Salesforce web usage is inverting towards mobile/api (60% of logins) web browser usage 40% & shrinking. Chuck showed how oauth and SAML play together, specifically OAuth as a deep link inside their SAML protocol (a theme repeated later in Paul Madsen's standards chalktalk). What this gives Salesforce is OAuth as a vehicle for assembling context critical for security decisions & risk based access control.
Brian Iverson observed that companies realized that storing credentials in the Cloud was pretty stupid, luckily federation was there to help.
Craig Burton riffed on the foundations of the API economy
Brad Hill had the closing baton and discussed the trend of the criminal class moving from OS (too hard) and to web apps. Brad said we need to start defending the client, instead of ceding that territory. In some of the best security news in a long time, Brad is leading an Web Application Security WG at the W3C effort with Eric Rescorla on web app sec standards.
Beyond all these notes, the breaks, meals and other events led to many great conversations - can't wait til 2012.
Just a nit... Brad and EKR are actually leading the Web Application Security WG at the W3C, not the IETF (though they're involved in the IETF WebSec WG, too). Cheers.
Posted by: J. Trent Adams | July 22, 2011 at 01:20 PM