Security measures identity protocol flows

From IIW

Session Topic: Security Measures Open Identity Protocols (T3J)

Convener: Cordny Nederkoorn

Notes-taker(s): Cordmy Nederkoorn

Tags for the session - technology discussed/ideas considered:

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

This session started with the saying that the less we give in the cloud, the better.

Microsoft added that Office 365 I more user-centric in this, but still using Open Identity protocols like OpenID in enterprises is still a No Go. The same is for Banks holding other data than banking, like health data.

What does the customer want? It’s scary to see they still want to use username and password. Enterprises react to this with password-managers, but if these password-managers use all these passwords in 1 place, this is a No No.

Enterprises like AT&T think more about interoperability frameworks and with Microsoft they want to develop a standard way to link their info for the benefit of them and their customers. To use information cards here is possible, but it spikes dramatically with every parameter added, which will scare customers and scare them away.

What about webservices? Concerning the legal liability, 2 of a 100 have a high liability, making it necessary to use a higher form of authentication here than username and password , contrary to the other 98.

To make webservices safer, a validation of the parameters can be done by using a token in a structural way to meet the customer’s info, masking the real info, therefore securing it. Mapping here is still a difficult process, because of documentation and use.

IT&T proposes, next to the 3A’s (Authentication, Authorization and Audit) a 4th one: Assurance. This is time-dependent, illustrated by ending a subscription where the expiry date is not the end of subscription-date, making it possible for a customer to get subscribed again for the same conditions.

Necessary here is the use of the same semantics and syntaxis between the parties involved, otherwise the dates can be mixed up.

This semantics also holds for error handling, which is a big hassle for support.

Just a few thoughts about keeping data secure in the cloud. .