ian glazer's tuesdaynight

I’m reading Canada’s Assistant Privacy Commissioner Elizabeth Denham’s recently released findings into complaints levied against Facebook. (Report of Findings into the Complaint Filed by the Canadian Internet Policy and Public Interest Clinic (CIPPIC)against Facebook Inc. Under the Personal Information Protection and Electronic Documents Act.) My first reaction to this is, frankly, one of jealousy. I wish we had a similar commissioner/czar/wonk here in the US. I suppose elements of the FTC work in this regard but without the same charter, which is too bad.

Last week I was at the recent Department of Homeland Security’s Government 2.0 Privacy and Best Practices conference. Not surprisingly the subject of transparency came up again and again. One thing that definitely caught my attention was a comment by one of the panelists that efforts towards government transparency are too often focused on data transparency rather than process transparency. While we have Data.gov as one of the current administration’s steps towards furthering government transparency, we do not have an analogous Process.gov. Said another way – we get the sausage but don’t get to see how it is made. This isn’t transparent government but translucent government. From what I’ve seen I’d say that enterprises have achieved the opposite kind of translucency with their identity management programs. Though enterprises have achieved some degree of process transparency by suffering through the pains of documenting, engineering, and re-engineering process, they haven’t been able to achieve data transparency. Identity information has yet to become readily available throughout the enterprise in ways that the business can take advantage of. Identity information (such as entitlements) has yet to achieve enterprise master-data status. Worse yet, the quality of identity data still lags behind the quality of identity-related processes in the enterprise. For those of you attending the Advanced Role Management workshop at Catalyst this year, you’ll hear me and Kevin present the findings from our recent roles research. Throughout our interviews we heard identity teams discuss their struggles with data management and data quality. Finding authoritative sources of information, relying on self-certified entitlement information, and decoding arcane resource codes were just some of the struggles we heard. No one said that identity data transparency was easy, but without it enterprises can only achieve identity translucency and not true transparency. (Cross-posted from Burton Group’s Identity Blog.)

Two weeks ago I was up in Brattleboro, VT competing in the 2nd Traditional Chinese Sword League tournament. Before I continue, I have to thank our hosts and all the people that help make the tournament work. Sensei Donahue and his school, the Brattleboro School of Budo, were wonderful hosts. The traditional nature of the school along with the diligence of their practice makes the school a special place. This year, I prepared in a fairly different manner from last year. I believe the training paid off. As with last year, there was a round of pool matches to determine the seeding for the final tournament. As with last year, I won the pool matches, earning me a bye in the first round. Unlike last year, I did not get knocked on it in the semis. I faced a tough opponent who beat me in the pool round. Beating him, I faced my classmate Greg in the finals. I truly enjoy my matches with Greg, or as he is known around the school, Mugen. For our pool match, I fought him left-handed with the thought that as we face each other so often, I’d come out and show him something different. That worked and work well. Our match was fairly short. For the finals, I got greedy and fought him using my left hand. I went to the well too many times, trying the same attack that works so well in the pool matches. He clocked right across the eyes after a few exchanges; he won outright. Compared to last year, I am far happier with my performance. My focus in my matches was much tighter. As my teacher commented, he would ask my opponent if they were ready and they would respond. One glance at me and he knew I was ready to go - no need to ask. Overall my stepping and waist movement was better than last year. More importantly I know what I have to work on this year and I have much better sense of how to do it. It has been a year since William Nicholson has passed away. The head judge of the first tournament, pillar of the Great River Taoist Center, and most importantly loving family, we all miss William “The Black Death” Nicholson. I have a feeling he would have really enjoyed the matches this year and I know he’d be there to help me train to take on Mugen next year.

I suppose there’s a certain point in training. Or said differently, I think I have a point I reach when training. Distracted. Sore. But physically as ready as I am going to be. I’m at that point with a few days before this latest Chinese swordsmanship tournament. Could I in better shape? Yes. Do I wish that my foot and shoulder weren’t tweaked? Yes. Could I practice more? Yes… but I fear with diminishing returns. Muscle memory accounts for a lot. You’ve got to train the basics into the bones, by passing the brain. Deflections, counter-cuts, basic cuts, stepping - all of it has to be trained into the bones so that you can execute anything and any time. Until this sort of training isn’t done unquestioningly then you can fight practice match after practice match and not get a bit better. You’ll be stuck thinking about what to do as supposed to doing it. But, at a certain point, that training ceases to return the same kind of gains as it once did. And that’s when the training gets much much harder. It becomes all mental. I’ve been playing my opponents in my head now for a few days. Thinking about what they like to do and considering what my response will be. Thinking about what people who I’ve never faced will likely do and what my responses would be. This may seems easy, but it is exhausting. Exhausting and crucial. For me, now, this is the most important part of my training. And I’m not sure if I am training well. Guess I’ll have to wait until Saturday to see how things go.

Among the sessions in this year’s Computers Freedom and Privacy conference was a panel on the recently released National review of cyber-security. Ed Felten presented three related areas that he believes have to be improved in equal measure to improve overall cyber-security:

1. Product development
2. System administration
3. User behavior

But, to me, there was something missing from the list – product design. Too often I have seen products whose user interface, in fact its entire user experience, was constructed after the fact. First the special sauce gets codified, then the chrome is put on and product gets a face. It is easy to recognize products that have been built in this way as they tend to expose their internal data models to users, forcing users to adopt the metaphors of the engineers that built the product in the first place. These types of products make problems internal to the product problems for the end-user and this can lead to very bad things. See Three Mile Island as an example. Poor user experience design leads to so-called “user error,” but is it really user error if the end-user is confronted with meaningless alarms, confusing error messages, and misleading feedback? At CFP, I talked to Bruce Schneier his research that went into Beyond Fear to get a better understanding of the psychology of fear and its relation to security. As you probably know, humans (and other animals too) are fantastically bad about evaluating risk. Optimism bias and other factors cause us to either over or under-estimate risks. Combine this with the fact that how choices are presented directly influences how choices are made and you realize the crucial need to build better user experiences for security (frankly, all) products. “Is everything okay with the mother ship and should we blow up Russia?” This is the question presented Buckaroo Bonzai and I think I’ve seen a form of it as a dialogue box in Windows. Would it be considered user error if an end-user pressed the “Yes” button and nuked Moscow? Bad design is at the least confusing and at the worst dangerous. I did talk to Ed afterwards and he acknowledged the role of design in product development. As he said, if we only attempt to improve one of the three areas product devolvement or system administration or user behavior we won’t improve cyber-security; we have to improve all three. User experience design as a part of an improved product development processes can directly lead to better more informed user behavior. Okay you product managers and designers make your voices heard – better safer products through better design! (Cross-posted from Burton Group’s Identity Blog.)

No organization wants to be the first to be fined because of a new regulation. Unfortunately, that’s exactly where Kaiser Permanente finds itself. After some high profile cases of unauthorized access to celebrities’ medical records, the California legislature adopted two new privacy laws (SB 541 and AB 211); these regulations were so swiftly enacted that they contained spelling errors. Both regulations went into effect on January 1 of this year. Five months later, Kaiser Permanente has become the first enterprise to be fined under this new regime. Regulators have levied the maximum fine, $250,000, for the recent incident involving Nadya “Octomom” Suleman. (Kevin commented on this previously.) All in all, 23 individuals looked at Ms. Suleman’s records without authorization. Of these, 15 have either been fired or resigned. And although the state regulators have fined Kaiser, they have yet to penalize any of these 23 individuals - which they can do under state law. As reported in the LA Times, Suleman’s lawyer said:

Ian Yip’s take on access management versus entitlement management can be partially summed up with this equation:

Entitlement management is simply fine-grained authorisation + XACML

I have four problems with this. First, definitions that include a protocol are worrisome as they can overly restrict the definition. For example, if I defined federation as authentication via SAML, people would quickly point out that authentication via WS-Fed was just as viable as a definition. So in terms of an industry conversation, we need to make sure that our terms are not too narrow. Second, I fear that this definition is a reflection of products in the market today and not a statement on what “entitlement management” is meant to do. Yes, most of today’s products can use XACML. Yes, they facilitate authorization decisions based on a wider context. But who’s to say that these products, and the market as a whole, have reached their final state? Along these lines, I wonder if externalized authorization stores are a required part of an “entitlement management” solution? Third, there is something missing from the definition – the policy enforcement point. A fine-grained authorization engine provides a policy decision point, but that still leaves the need for an enforcement point. This holds true whether an application has externalized its authorization decisions or not. Finally, I have a problem with the phrase “entitlement management” (just ask my co-workers). As I have blogged about before, Kevin and I have been in the midst of a large research project focusing on role management. One of the things we have learned from this project is that enterprises do not use the phrase “entitlement management” the same way we do. A bit of history – three or so years ago Burton Group, at a Catalyst, introduced the phrase “entitlement management” to include the run-time authorization decision process that most of the industry referred to as “fine-grained authorization.” At the time, this seemed about right. Flash forward to this year and our latest research and we have learned that our definition was too narrow. The enterprises that we talked to use “entitlement management” to mean: · The gathering of entitlements from target systems (for example, collecting all the AD groups or TopSecret resource codes) · Reviewing these entitlements to see if they are still valid · Reviewing the assignment of these entitlements to individuals to see if the assignments are appropriate · Removing and cleaning up excessive or outdated entitlements More often than not, we found that our customers used “entitlement management” as a precursor to access certification processes. Using a single term (“entitlement management”) to span both the run-time authorization decisions as well as the necessary legwork of gathering, interpreting, and cleansing entitlements can lead to confusion. The way enterprise customers currently use “entitlement management” works well to describe how legwork is vital to the success of other identity projects. (I’ll be working on a report this quarter that delves deeper into this.) I am all for a broader conversation on fine-grained authZ versus entitlement management. And as Ian Yip has pointed out on twitter, identity blog conversations have dropped off a bit and I’d love to stoke the fire a bit. But we can’t have meaningful conversations without shared definitions. So what’s your take? What do you mean when you say “fine-grained authorization” and “entitlement management?” (Cross-posted from Burton Group’s Identity blog.)

There are plenty of reasons to come to Catalyst. Engaging workshops, great sessions, interesting speakers, the chance to see the entire Identity and Privacy Strategies team on stage with bags on their heads - you know, the kinds of thing you’d expect. For those of you with a Certified Information Privacy Professional (CIPP) certification, this year we’ve a little something extra for you – continuing education credits. By attending IdPS’ Privacy Risks Get Realtrack, you’ll earn 3.5 hours of continuing privacy education (CPE) credit. Attend SRMS’ Risk Management: Programs You Can’t Afford to Cut and receive another 3.5 hours of credit.

My wife and I just got back from a long weekend trip with friends. We’ve been to the greater Playa del Carmen area of Mexico a bunch of times. We figured that this would be an easy trip. And for the most part it was. Hotel Basico, as always, was awesome. The rooftop bar and pool is great. The food is amazing. I’m not sure how they do it, but the fried fish nuggets are amazing. Playa, sadly, is slowly being turned into a more rustic Cancun. It became noticeable last time we went and this time it was all too obvious. More stumbling drunk idiots and more chain stores. This is not a good trend. For a change of pace, we headed down to Tulum to check things out there. Overall, we liked the area. There is, however, a fundamental problem with area’s value proposition. Most of the hotels are on the water and are rustic. We had some very serene moments just watching the waves roll in. But that being said, the price per night for one of these hotels seems to average about $170. That just is too high a shower whose pressure resembles a Windex bottle and a room that lacks A/C. At $100 or less, the value prop works, but I just have a hard time paying for what I know to be a glorified back packer flophouse. (And in case you think I am being a snob, I have spent many a night in low budget hotels around the world and loved them. Much love to Archie’s House.) So our travel luck… On any trip there will be some hiccup along the way, but nothing that cannot be accomodated. On this trip there were three. First up, Sunday was Day Light Savings in Mexico. Who knew? Clearly we didn’t but, apparently, the hotel staff did but neglected to mention it. A bit of frantic pre-coffee thrashing about but I’ve done worse. We had planned on leaving an hour earlier than usual to grab some breakfast back in Playa so the time change didn’t throw us off too badly. Second up - on the way to the highway and north to Playa, the check engine light goes on in our rental. Thinking that it is just a gas cap related, and frankly having no other options, we pushed on. Then the engine light started blinking. The car started to shake when I gave it the slightest amount of gas. And then it died at a stop light. Plane leaves in 3.5 hours. We are 1.5 hours away. Car, though not smoking, was not in a good way. Clock’s ticking. There’s a Hertz kilometer so behind us and so we coax and cajole the car back there. Sunday morning at 7:30, I am not expected anyone to be there. But there was! And at this point I must credit my friend L. She is a fluent Spanish speaker. But how many non-native speakers are familiar with automotive vocabulary? So L conveys the situation. The staff were amazingly helpful. Within twenty minutes we were rolling again. Thus far we have dodged about as much trouble as one would expect to encounter on a trip. But you know me better than that. The next thing we had to deal with was bigger than the first two combined. North of Playa, we get pulled over by the Municipal Police. Again, L to the rescue. But how many non-native speakers know how to talk their way out of a speeding ticket? According to the slightly pudgy cop (or at least the guy in the cop uniform) I was speeding. And according to him there are two things by which the police cannot abide: speeding and drinking (I think he meant drunk driving). He referred to me as “Speedy Gonzalez.” He might as well been reading from the “Guide to fleecing tourist” handbook. Did he mention how fast I was going? No. Did he point out the speed limit? No. But did he know enough American culture to refer to me as Speedy Gonzalez. Of course he did. And what happened next was he said that my driver’s licenses, and me, had to go a half an hour away to be processed. (Keep in mind that downtown Playa del Carmen was, at most, 15 minutes away.) This option didn’t see so appealing. L, smartly, asked if there was another way to deal with the fine for speeding. Our friendly overfed constabulary said there was. We could pay the fee right there by the roadside. The only problem was that he didn’t have a receipt to give us, but if we didn’t mind we could jsut pay him anyway. Sure, whatever. Amazingly enough, Mexico fines speeders in US dollars… $200 to be exact. $200. Think of your last speeding ticket. If you got hit for $200, you were likely doing over 80 with up to, but not exceeding, 2 pedestrians squished on your hood. $200 for doing, at most 10 km/k over the limit in a 100 km/h zone, seemed a tad excessive. We didn’t have $200 on hand and weren’t really in the mood to part with that much scratch, L pressed on and asked what the fine would be pesos. You know pesos - the currency of the country in which we were currently pulled over by Officer Hada Couple O’Churros. And so he starts to write on his hand and comes up with a figure 2000 pesos. The exchange rate was in our favor but 2000 was way more than we had.

Over the last 6 or so months, Bob Blakley and I have been doing a lot of listening and thinking about privacy. To successfully re-launch our privacy coverage, we needed to lay a wide foundation that would serve to support future research. We needed to provide a meaningful starting point for our customers. Since our customers’ jobs are not typically focused on privacy, we needed to start with a form of first principles and build outward. I’ve learned that it is generally frowned upon to use the second person in our reports – too informal I am told. Use the blog if you want to address the audience directly. Normally, I don’t have a problem avoiding the second person, but this report proved to be a challenge. We had to work hard not to write without using “you.” And why was that? Privacy discussions are and must be inclusive. They involve each of us on a far more personal level than a discussion of, say, account lifecycle management. Cognizant of privacy implications or not, the decisions you make on a daily basis have effects the privacy of your customers and partners. Because privacy is personal, because it requires concerted behavior throughout the enterprise, discussions about privacy must include everyone. You. Me. Everyone. To guide concerted behavior, in our recently released privacy report, we put forth a Golden Rule as a means of developing and evaluating privacy principles leadings to practices and behaviors: