Andre Durand

Discovering life, one mistake at a time.

Archive for May, 2006

Warning to Executives Traveling Abroad

May 11, 2006 By: Andre Category: Life

I sat on a round table this week up in Seattle where both open source
and the current state of security was discussed. The panel was
moderated by a gentleman from the Pacific Northwest National Laboratory,
an agency comprised mostly of PhD’s (some 4k of them) working “in the
desert” to serve most of our three letter government agencies.

During his presentation, he made a comment which really hit me. It was
sort of a wake up call that couldn’t be ignored, and I thought
worthwhile passing on.

said that if you are an American executive, traveling abroad, you
should assume that if your laptop leaves your control, (in customs for
example), that the hard drive has been mirror’d. He said this is
especially true if you are traveling through France but that it should
apply to many foreign countries. Corporate espionage, and specific
targeting of well known US executives traveling abroad should be

He also said many of these same groups (governments as well as
corporate and criminally sponsored) specifically target those attending
certain conferences, such as the RSA Security Conference. Beware the public email and Internet terminals.

I don’t know about you, but I’m genetically a trusting person and this
is clearly a dangerous default to have today.  When I relayed this
comment to Phil Becker the other day, his insightful response was that
we American’s always approach obstacles by trying to “make the pie
bigger”, whereas the default for many outside of the US is to assume
they are playing a “zero sum game”, and this difference in approach
might explain why American’s are trusting, and many others feel
compelled to copy our hard drives as we pass through their countries.

Boeing Federates leveraging Ping

May 10, 2006 By: Andre Category: Ping Identity

As an entrepreneur who’s been slogging it away in the trenches of identity and federation going on 6 years (yea, I’m feeling a bit old lately), it’s nice to have a few big wins every now and then. This one’s big for us.

Boeing Pioneers Federated Identity Management with Partners
Bert Latamore   

May 10, 2006 (Computerworld) —  “We are at the beginning of a very big thing,” says Mike Beach, associate technical fellow at The Boeing Co. “We are on the edge of a huge uptake of this idea of federated identity over the Internet, and in coming years that will be the way people do business.”

The reason, he says, is expense control. The concept of federated identity basically is single sign-on at the browser level, not just for a few applications inside a company but between organizations. If a person is authenticated by his employer, under a federated identity model that authentication is accepted automatically by business partners with which that company has federated agreements, allowing that employee to access information at those other entities to which he has access privileges without having to reauthenticate himself.

Specifically, it means that Boeing’s 150,000 employees and 40,000 retirees can log onto Boeing’s network once and then access benefits information at any of the several financial institutions involved without having to log on to those companies’ networks or applications. And mechanics at Southwest Airlines, which piloted federated identity with Boeing, can access the latest maintenance manuals, bulletins and other information on Boeing aircraft without having to enter passwords or other identification information on Boeing’s portal. Instead, the individual’s identification comes embedded in each transaction using the Security Assertion Markup Language (SAML) standard, part of the XML standard set.

This provides three key benefits. For the user, it makes accessing specific information to which he is authorized on multiple private networks as transparent as accessing public Web pages on the Internet. Actually, most of these transactions travel over the Internet between corporate networks in encrypted form. But the key business driver is that it eliminates the need to manage intermediary passwords, which is estimated to be as high as $500 to $1,000 per user per month. It also simplifies and improves security for the service provider, which no longer needs to track changes in status of people in partnered organizations. So if a mechanic at Southwest Airlines, for instance, leaves the company, Boeing does not need to be informed. As soon as the former employee’s access to Southwest’s network is revoked, he can no longer access Boeing’s information.

Boeing and Southwest Airlines have been pioneering their federated connection for three years, while several business, legal and technical issues were worked out. “For the last couple of years, industry in general has been wrestling with the legal and business implications of federation, the liability issues, and who owns what,” says Beach, “And there were issues with competing standards in the industry. So we were in a holding pattern.”

As those were worked out, Boeing ran into a practical problem. “As we established new agreements with our benefits providers, we added a clause specifying that they would provide a SAML-based federated identity connection,” Beach said. “Many said, ‘Sure, we will be happy to do that.’ Then frequently Boeing would get a call from the provider’s security people asking, ‘Just what is SAML, and how do we set up federated identity?'”

Obviously Boeing’s business partners needed to be educated. Rather than take that on itself, Boeing contracted with Ping Identity Corp. in Denver, a network consulting and software company specializing in federated identity management, to write a manual and educational material covering all the information Boeing’s partners need to set up their end of the federated identification connection and to provide educational and technical support as needed.

Then just as Boeing’s identity management seemed cleared for takeoff, it ran into another snag. The SAML standard was evolving rapidly toward Version 2.0, which will incorporate both of the competing standards. But the software that Boeing was using had not been extended past Version 1.0. Once again Boeing turned to Ping, whose federated identity management solution supports all published versions of SAML.

“Since late last year we have added a half dozen connections with different companies,” Beach says. “We have about 10 customers that are in the process of putting the federated linkage together, and I hear we have talked with more than 20 others. Obviously in the future this is the way business will work.”