Andre Durand

Discovering life, one mistake at a time.

Archive for February, 2007

Vista Launch – It’s a different world

February 28, 2007 By: Andre Category: Identity

Has anyone noticed this is the first launch of Windows not being simultaneously driven by hundreds of desktop software applications vendors (ISV’s)?

Back in the go-go days of Comdex, a new Windows launch would have been accompanied by hundreds of other applications providers talking about their latest and greatest running only on the newest version of Windows.

What’s changed? A shift of functionality to the Internet.

Shift happens.


February 27, 2007 By: Andre Category: Identity

Start pages have come a long ways! I had no idea.

I am not how I pay

February 23, 2007 By: Andre Category: Identity

Payment networks have historically accommodated just enough identity
(account vetting and authentication) to manage their risk of fraud.

networks however, are now being built out of left field, but unlike the
payment networks (brands like Visa, Plus, Star, MasterCard), the
identity networks will enable the end user to do so much more, and as a
result, are likely to have an even more significant and tighter pairing
of brand association and awareness. After all, the pure identity plays
will lay the foundation for the future of privacy, reputation
management, social networking management, access control in both
physical and logical worlds and the list goes on and on.

Payment Networks:

inevitable that these same, branded identity networks (pure plays) will
ultimately tie to the existing payment clearinghouses. When that
happens. Boom.

Have Identity, Will Travel.

February 19, 2007 By: Andre Category: Identity

I’m a big fan of Gerry Gebel, Mike N., Jamie and all of the guys I’ve interacted with over the years at the Burton Group.

While pragmatic, they just represent to me the ‘can do’ side of new technology adoption, which as an entrepreneur whose found himself caught in the eddy of emerging technologies a few times before, it’s nice to have the truly smart guys focusing in on what’s happening within your space.

I almost missed it, but fortunately a friend turned me onto this recent article by Gerry Gebel talking about the state of federated identity within the market. It’s exceptional.

Shiny Paint

February 19, 2007 By: Andre Category: Identity

Francis Shanahan recently commented to Kim Cameron his concerns and interpretation of an announcement we made of our open source module for “CardSpace enabling Apache applications.”

The heart of the discussion revolves around the specific choice of words we used in our announcement, namely, the fact that we chose to use the term ‘CardSpace’ rather than say, ‘XML token’, which might have been technically more accurate.

No one’s ever blamed me of being too accurate or concise, but that’s not the reason we chose the headline we did. For me (Eric, don’t laugh), its all about keeping a Shiny exterior, and the details of how we plumbed it behind the curtain.

Breakouts in consumer behavior happen when a new but also very concise set of technologies, terminology and consumer benefit all converge in space and time.

While I believe we’re on the cusp of a very exciting moment for those that have followed and are passionate about the identity conversation, (I equate it to the moment we achieved ‘dial-tone’ in the old phone networks), we run the risk of delaying this breakout because we are trying to push forward with too many tips to our arrow, rather than one sharp point that is able to penetrate quickly, and for which everything else we wish to do can extend from.

CardSpace, Higgins, OpenID and SAML are all great technologies and advancements, and each has their place. As the conversation becomes more dense, it’s inevitably that the visions connect and converge, and we recognize that we all started from different points in time and perspectives on what was initially important to the constituency we looked to serve.

But, if as an industry we want to open up the consumer market to this thing we refer to as ‘Internet-Scale Identity’, then we need to streamline our messaging and hide our own complexities. Kim has it exactly right when he makes analogy to the notion of hiding the complexity of a file or folder icon on the desktop from the average user. I’m a big fan of keeping the shiny paint on the outside, and the engine under the hood, and at this moment in time, I’m also a big fan of putting the wood behind as few arrow tips as possible.

Phil Becker had an observation here that I think is really astute when he said that CardSpace is for consumers discovering and experiencing their digital identity what Mosaic (the 1st browser) was to discovering the Internet for the average user. Meaning, for the first time, an average user can see and experience what’s happening with their identity in a consistent manner.

As a participant in this conversation, and one looking to expand the pie as quickly as possible, I view Ping’s role as supportive to all of the great minds out there who are inventing this stuff. It is paramount that we move CardSpace (and Higgins for non-MS environments) forward, because, I believe, only when these are complete and the server side infrastructure gets behind them will we have the foundation for a breakout.

Stocks Soar as Federation Gains Traction!

February 16, 2007 By: Andre Category: Identity

It would appear that several of our customers have experienced great run-ups in share prices recently. I have no doubt this comes as a result of their bottom-line improvements from having selected Ping Identity to federate with partners. šŸ™‚

Google does SAML

February 16, 2007 By: Andre Category: Identity

Not quite sure how I missed seeing Google’s recent release of a SAML interface to Google Apps for your Domain, but it appears Paul Madsen didn’t miss it, and he does a nice job describing the interaction.

Leveraging standards for cross-domain SSO is an inevitability. It’s nice to see companies like AOL taking note of OpenID, and Google taking note of SAML.

Dogpile Identity

February 15, 2007 By: Andre Category: Identity

I find it amusing how when a certain technology gets hot, take search for example, everyone tries to out-‘meta’ the next guy. I guess it’s no surprise then that we’ve got plenty of folks trying to jump to the top of the identity dogpile.

On emerging markets such as identity

February 13, 2007 By: Andre Category: Identity

The buying begins…

…when the discussion ends.

Why We Developed PingLogin

February 13, 2007 By: Andre Category: Identity

Consumer Authentication – Background

Over the last few years, consumer facing web applications that require some form of security to protect access to their resources have faced a significant increase in issues related to online fraud. Combined with the anticipated need to support new mechanisms and channels for consumer authentication (e.g. CardSpace, OpenID and Higgins, mobile devices, flash, Ajax and voice) many companies are now beginning to rethink their approach to consumer authentication, and their homegrown systems, they realize, are simply not architected to take advantage of many of these anticipated advancements.

That was thenā€¦

Most consumer-facing web applications were developed in the mid 1990ā€™s, and implemented only a simplistic userid and password based mechanism to authenticate their consumers. This mechanism has been repeatedly implemented (independently) in some proprietary manner within thousands of web applications. When just requiring a password was enough to authenticate the user (prior to pfishing); implementing an LDAP Bind or a JDBC call to a data store to validate the password, was deemed ā€˜good enoughā€™, and as a result, most companies rolled their own. To the extent web session management was also required, many companies implemented their won proprietary session token which they then stored in a cookie.

Why not the WAM products?

About the same time we saw the advent of the 1st generation of web access management (WAM) products (e.g. Netegrity, Access360, Securant, ClearTrust, Oblix etc.). While their focus was primarily on the notion of centralized policy management (authorization) for web applications, they also implemented mechanisms to provide user authentication and more importantly single sign-on; but only as a byproduct of offering policy based access management.

Given the cost and complexity of the 1st generation of COTS Web Access Management products, the vast majority of companies with customer facing use-cases chose NOT to deploy these products in their consumer facing scenarios, but instead use them ONLY for internal / employee facing use cases only. This is the dirty little secret we discovered when first approached to build a next generation framework for consumer authentication. The logic was simple, the existing WAM products were deemed too ā€˜heavyā€™, too complex and too expensive to deploy for customer/consumer facing applications.  

So what about now in 2007?

What was interesting to us here at Ping Identity was that if you roll the clock forward now to 2007, with regards the WAM products, nothings changed. In fact, things have gotten even worse, in that many of the WAM vendors have been acquired, and are now part of an even LARGER, even MORE proprietary or EXPENSIVE stack.  That said however, things have changed in the architecture and environments surrounding these products and the need for a new, lightweight, laser focused approach towards consumer authentication. With the advent of SAML, authentication has now become ā€˜portableā€™. ISVā€s are building SAML into their products and weā€™re seeing a natural bifurcation of AuthN and AuthZ services. Itā€™s this clean separation of authentication and session management services from policy, authorization and entitlement management that PingLogin was designed to address.

Feeling the Pain

For the first time in several years, companies that rolled their own simplistic password based consumer authentication are feeling the pain and stretch of their systems to the breaking point. And thatā€™s where PingLogin comes in. For those companies now feeling the pain of consumer authentication (need for strong auth, need to support new mechanisms such as CardSpace, OpenID or Higgins, need to support multiple consumer ā€˜channelsā€™ such as HTTP, AJAX, Flash, Mobile, Voice etc.), the existing products, for all the reasons they werenā€™t originally chosen, still didnā€™t suffice. They are still too focused on policy, still to light on authentication flexibility and still deemed too expensive to deploy in consumer facing use-cases.

Most consumer facing applications will have to address strengthening their existing consumer authentication mechanisms over the next two years and consider implementing new methods of consumer authentication. It is highly likely that this will be an iterative process that will continue ad infinitum. The attackers will always be looking to break through the next generation of consumer authentication techniques. It is an arms race that will not decrease, considering online transaction volumes and are likely to continuously increase.

What Ping Identity is doing about it

Starting around a year ago, Ping Identity and two large design partners began working together to create a 2nd generation web authentication product that fundamentally re-addressed the need for extensibility and flexibility when it came to consumer authentication & single sign on. The major design goals for this new product was performance, extensibility and flexibility to address the continuously shifting landscape of online consumer authentication. A landscape that that will be impacted by regulators, consumer whims, the media, and existing and unknown attacks.

Now for the first time, organizations that have implemented their own proprietary system have the opportunity to implement a commercial solution that eliminates maintenance and development going forward while allowing flexibility to meet specific business and risk requirements.

But What if I’ve Deployed a WAM Product?

Organizations that have implemented an access management product also have the opportunity to migrate to a more focused authentication platform that provides far more extensibility and flexibility to address identity theft and fraud detection. And of course, it works with PingFederate out of the box.

Who Should Take a Closer Look at PingLogin

PingLogin isn’t for
everyone, but for those organizations that have massive consumer
authentication requirements and want a commercially supported framework
which is going to provide out-of-box functionality designed for the
future of consumer authentication, you should take a closer look.
PingLogin 2 is now available for download.

PingLogin Technical Overview | PingLogin Datasheet | Download PingLogin

PingLogin Design Principles

PingLogin was designed to support consumer authentication and SSO for large-scale, mission-critical, consumer-facing Web apĀ¬plications. The product has been architected with specific governing principles to ensure it can be successfully used in these target environments to provide a framework for the next decade:

  • Open and Standards-Based: Wherever possible, PingLogin supports open standards instead of proprietary protocols (CardSpace & OpenID to be supported modules of PingLogin). In addition, certain product modules are made availĀ¬able to customers and partners through both shared source and open source licenses.
  • Extensible and Flexible: A flexible set of APIs is included to give customers a robust framework for integrating PingLogin into existing Web applications and environĀ¬ments. As business and security requirements change, organizations should be free to add or modify functionality and not be bound to the release cycles of the product.
  • High Performance: Consumer applications authenticate millions of users daily. ConĀ¬sequently, lightweight mechanisms to support authentication, session management and single sign-on are critical to meet consumersā€™ expectations for response time and performance.
  • Focus on Authentication: PingLogin is a best-of-breed solution for consumer authenĀ¬tication. PingLogin retains a distinct separation between authentication and application authorization.
  • Web Services Integration: While LDAP is supported, the PingLogin architecture asĀ¬sumes that Web services will be one of the primary mechanisms used by customers to integrate with external authentication providers and identity stores.
  • Simplicity: Throughout the product, there is always a simple implementation model for basic use cases that can be built upon as necessary to address differing (and sometimes opposing) business and technical requirements.