Lat week I was on a PR-mission in Leuven, Belgium at the EEMA eID interoperability Conference.
Together with 2 members of the Kantara inititative I presented UMA to the EEMA-delegates, investigated the possible use of UMA as a part of the eID (electronic ID) and the possible cooperation of Kantara and EEMA. We succeeded in all.
This EEMA conference was organized to discuss specific areas of importance in the digital identity arena and exchange ideas amongst its delegates.
This year it was mainly about Industry,Business and Administrations dealing with privacy, which was for me not surprisingly given the enormous amount of attention paid to this difficult issue the last year.
Companies like SafeNet, Verizon, IBM and CA shared their vision and solution for eID-issues, while institutions like Novay and the Fraunhofer Institute gave insight in their e-ID-research.
Administrations were also represented by different countries ,EU-consortia and agencies(eg. ENISA, STORK, SSEDIC), giving the conference a diverse crowd consuming the latest intel on eIDs.
And in this crowd I was present with my UMA-session, which was well-received by the delegates and new fruitful contacts were made.
UMA was a bit of an outsider, because most issues dealt with authentication, in contrast to the authorization-protocol UMA.
However, UMA is user-centric,and interoperable, so much discussion was about its use in trust frameworks between authentication protocols like OpenID, SAML and other authorization protocols like OAuth. After all, in an enterprise it's very important if you know if the person sharing data with you online is really that person (authenticated) and also is authorized by his company to share these things. Missing both functions makes this person useless to you, costing only time, effort and at the end profit of your enterprise.
With UMA you have a 'doorman', dealing with the sharing of your data with 3rd parties, relieving you from the hassle of doing this yourself.
Together with my fellow UMAnitarians I look forward to future implementations of UMA in online identity-solutions build together by industry, business and administrations.
All in favor of the person UMA is build for: the user who wants to control the access of his online data!
Sunday, March 20, 2011
Sunday, March 13, 2011
Feeling like Marco Polo
The last few years understanding the process of online identities were like an adventure to me.
Sometimes I feel like Marco Polo, although he explored new countries and trades, my mission is to explore and test new ways people can share their online identities and resources.
Like Marco Polo, I meet extraordinary people like UMAnitarians, OAuthians and OpenIDealists.
As Marco Polo had to master his Chinese to understand his new companions, I have to learn XML, JSON, HTTP and different webprotocols to understand my new companions.
That's why I'm grateful people like XMLGrrl , Identity Woman and many more guide me in this exploration.
This week I will do some UMA-trading in the form of a session at the EEMA eID interoperability conference in Belgium and in May I will explore, together with a Dutch team, the Internet Identity Workshop 12 in the USA.
Like Marco Polo, I'm and adventurer and tradesman, maybe Google Circles will be my next quest. Something I have to talk with the UMAnitarians about soon.
Sometimes I feel like Marco Polo, although he explored new countries and trades, my mission is to explore and test new ways people can share their online identities and resources.
Like Marco Polo, I meet extraordinary people like UMAnitarians, OAuthians and OpenIDealists.
As Marco Polo had to master his Chinese to understand his new companions, I have to learn XML, JSON, HTTP and different webprotocols to understand my new companions.
That's why I'm grateful people like XMLGrrl , Identity Woman and many more guide me in this exploration.
This week I will do some UMA-trading in the form of a session at the EEMA eID interoperability conference in Belgium and in May I will explore, together with a Dutch team, the Internet Identity Workshop 12 in the USA.
Like Marco Polo, I'm and adventurer and tradesman, maybe Google Circles will be my next quest. Something I have to talk with the UMAnitarians about soon.
Sunday, February 27, 2011
A Tester's perspective: Privacy in Design by Microsoft
A month ago I promised to blog about privacy solutions the cloud vendors apply at this time.
This post will discuss Microsofts efforts in handling privacy.
When googling for Microsoft the first hit's a bullseye.
A portal about how Microsoft deals with privacy issues and links to relevant information, ordered in a structured way. Regarding usability,a good start.
A portal is nice, but does it have info about how Microsoft deals with privacy issues?
Privacy by Design is a hot topic in the privacy community and also organized in Microsofts business, in both development and operation.
Bold words, but how is this done?
First, Microsoft deals with Privacy by following the Microsoft Privacy Principles, which address Accountability, Notice, Collection, Choice and Consent, Use and Retention, Disclosure of Onward Transfer, Quality Assurance, Access, Enhanced Security, and Monitoring & Enforcement.
An example of the use of these principles is the link Privacy
available at the Windows Live Hotmail-site.
Wow, Privacy Principles, but who assures me, the user, these principles are lived by Microsoft?
Microsoft's Chief Privacy Officer (CPO, I just love those abbreviations), is responsible for managing the risks and business impacts of privacy laws and policies.
The CPO and his team had a great influence on the new Microsoft's U-Prove (former CardSpace) and the Tracking Protections in IE9.
OK, Microsoft is concerned about the user's privacy, are there any negative sides to its policy?
Well, you could say the long development and at the end elimination of CardSpace in favor of U-Prove, but is this privacy-related? The Geneva-project was, IMHO, always a bit mysterious, but when Credentica was bought by Microsoft in 2008 things started to make more sense. Then it's more an issue what to use for identity control and if it's usable?
Believe me, I have enough experience with software projects where the architect says his design is flawless, but that during end-to-end-test the software its performance is just plain lousy.
Another reason to involve testers at the beginning of a project.
Concluding,Microsoft commits itself to privacy, but it's still an evolution of development and process, do not expect miracles!
People at Microsoft are also just people.
This post will discuss Microsofts efforts in handling privacy.
When googling for Microsoft the first hit's a bullseye.
A portal about how Microsoft deals with privacy issues and links to relevant information, ordered in a structured way. Regarding usability,a good start.
A portal is nice, but does it have info about how Microsoft deals with privacy issues?
Privacy by Design is a hot topic in the privacy community and also organized in Microsofts business, in both development and operation.
Bold words, but how is this done?
First, Microsoft deals with Privacy by following the Microsoft Privacy Principles, which address Accountability, Notice, Collection, Choice and Consent, Use and Retention, Disclosure of Onward Transfer, Quality Assurance, Access, Enhanced Security, and Monitoring & Enforcement.
An example of the use of these principles is the link Privacy
available at the Windows Live Hotmail-site.
Wow, Privacy Principles, but who assures me, the user, these principles are lived by Microsoft?
Microsoft's Chief Privacy Officer (CPO, I just love those abbreviations), is responsible for managing the risks and business impacts of privacy laws and policies.
The CPO and his team had a great influence on the new Microsoft's U-Prove (former CardSpace) and the Tracking Protections in IE9.
OK, Microsoft is concerned about the user's privacy, are there any negative sides to its policy?
Well, you could say the long development and at the end elimination of CardSpace in favor of U-Prove, but is this privacy-related? The Geneva-project was, IMHO, always a bit mysterious, but when Credentica was bought by Microsoft in 2008 things started to make more sense. Then it's more an issue what to use for identity control and if it's usable?
Believe me, I have enough experience with software projects where the architect says his design is flawless, but that during end-to-end-test the software its performance is just plain lousy.
Another reason to involve testers at the beginning of a project.
Concluding,Microsoft commits itself to privacy, but it's still an evolution of development and process, do not expect miracles!
People at Microsoft are also just people.
Sunday, February 20, 2011
Got the flu last week, what did I miss?
Last week it was my, once in two years, out-of-the-office-because-of-the-flu-week.
More simply said, I was bugged :-(.
No worries, I'm back on my feet and now I'm looking what I missed out on testing, SaaS, security and identity last week.
Fortunately, my fellow bloggers weren't ill and could produce a daily/weekly news for me, like Frank Wray's Identity in the Cloud Weekly,Christophe Primault's The GetApp.com Daily, EPA's blog and Jaap Kuipers his PIMN. Great stuff guys, saves a lot of Googling.
If I would exclude testing now for keeping it short, what did I miss out on SaaS, security and identity?
Well, one nice thing to mention on SaaS/Cloud computing is a webcast Maurice van der Woude, general director EuroCloud Europe, gave on Brighttalk about Managing Hybrid Clouds from a Supplier and User Perspective. Here, next to explaining what a hybrid cloud is, he also discusses the interoperability needed in a hybrid cloud and the privacy issues. A very informative talk, which is suitable for both business and tech-pro's.
Going further to security, well, the biggest news was the RSA-conference held in San Francisco, attended by some of my fellow UMAnitarians and also PIMN-members.
For UMA, Congratulations to the SMART team for their win of an IDDY award in the Proof of Concept category from Kantara for their UMA development work! This is good news for a possible adoption of UMA by the industry.
Another interesting RSA-item to mention is the panel-discussion, co-led by Ikuo Takahashi on Legal issues occurred by international cloud computing. This means, cloud computing is more and more seen by policy-makers as something to happen and legal issues must be attended. It now only depends on how this policy will be governed, and on what geographic scale: globally or per country?
Mr. Takahashi, thank you for your feedback on my questions to this, it gave me a lot of insight, which I will further explore the coming weeks.
So, this is just my humble view of last week. One week knocked-out by the flu, but luckily I can rely on my fellow-bloggers, as they can rely on me, to keep the news posted.
More simply said, I was bugged :-(.
No worries, I'm back on my feet and now I'm looking what I missed out on testing, SaaS, security and identity last week.
Fortunately, my fellow bloggers weren't ill and could produce a daily/weekly news for me, like Frank Wray's Identity in the Cloud Weekly,Christophe Primault's The GetApp.com Daily, EPA's blog and Jaap Kuipers his PIMN. Great stuff guys, saves a lot of Googling.
If I would exclude testing now for keeping it short, what did I miss out on SaaS, security and identity?
Well, one nice thing to mention on SaaS/Cloud computing is a webcast Maurice van der Woude, general director EuroCloud Europe, gave on Brighttalk about Managing Hybrid Clouds from a Supplier and User Perspective. Here, next to explaining what a hybrid cloud is, he also discusses the interoperability needed in a hybrid cloud and the privacy issues. A very informative talk, which is suitable for both business and tech-pro's.
Going further to security, well, the biggest news was the RSA-conference held in San Francisco, attended by some of my fellow UMAnitarians and also PIMN-members.
For UMA, Congratulations to the SMART team for their win of an IDDY award in the Proof of Concept category from Kantara for their UMA development work! This is good news for a possible adoption of UMA by the industry.
Another interesting RSA-item to mention is the panel-discussion, co-led by Ikuo Takahashi on Legal issues occurred by international cloud computing. This means, cloud computing is more and more seen by policy-makers as something to happen and legal issues must be attended. It now only depends on how this policy will be governed, and on what geographic scale: globally or per country?
Mr. Takahashi, thank you for your feedback on my questions to this, it gave me a lot of insight, which I will further explore the coming weeks.
So, this is just my humble view of last week. One week knocked-out by the flu, but luckily I can rely on my fellow-bloggers, as they can rely on me, to keep the news posted.
Sunday, February 6, 2011
USA responds to the changing EU Data Privacy Directive, where's Asia?
Last week I blogged about that the EU Data Privacy Directive is going to be changed in response to the adoption and development of Cloud Computing.
IMHO, I thought the USA couldn't lag behind and I was not surprised that the NIST , the U.S. National Institute of Standards and Technology, has issued two new draft documents on cloud computing for public comment, including the first set of guidelines for managing security and privacy issues in cloud computing. Next to this, NIST has developed a Cloud Computing Collaboration site on the Web to enable two-way communication among the cloud community and NIST cloud research working groups.
So, it seems both USA and the EU are initiating efforts to guide the secure adoption of cloud computing by industry and consumer.
Now, I'm wondering about one thing, compared to Europe and the USA, what are the Asian countries doing to guide a secure adoption of cloud computing?
For a testpro like me it is very nice guidelines are being made for the 'Western' countries, but a lot of the 'cloud' is build in the 'East', so this I can't neglect.
Asia is not unified like Europe or the USA, so government guidelines here are not easily made for the many different countries forming Asia.
Private consortia like Asia Cloud Computing Association (see Europe's EuroCloud ) have been developed. But wat about the Asian governments, are they making unified guidelines for Cloud Computing?
John Galligan, Microsoft Asia Pacific's regional director for Internet policy, discusses this, with an emphasis on Singapore, on futuregov.asia and zdnet.asia.
Challenges there still are, one of the sentences made here I want to citate:
'One significant concern regarding cloud technology is the uncertainty over the location where data is stored and how strong data protection is to safeguard against criminal intent.'
This is also the case in the Western world, and as in the West, secure IT-auditing by the Asian governments and private sectors is necessary to test the security of their continuously innovating IT-infrastructure.
Galligan also says :"It's very interesting when people start to look at reliability, the level of redundancy and individual's access to the system, it can move decision makers to understand that maybe their current infrastructure is not as stable and secure as they think it is."
OK, it's a response from an employee of a private firm, but, IMHO, this is the single problem now with Cloud Computing, only with tackling these risks of reliability, redundancy and access, policy makers all over the world can be moved to adopt Secure Cloud Computing.
And that's a mutual challenge for all global parties involved in Cloud Computing: Business, IT-auditing, development and test!!
PS:
I'm no expert on Asian law, this example of cloud computing in Singapore does not have to be the case for other Asian countries, it only wants to illustrate an Asian response to Cloud Computing
IMHO, I thought the USA couldn't lag behind and I was not surprised that the NIST , the U.S. National Institute of Standards and Technology, has issued two new draft documents on cloud computing for public comment, including the first set of guidelines for managing security and privacy issues in cloud computing. Next to this, NIST has developed a Cloud Computing Collaboration site on the Web to enable two-way communication among the cloud community and NIST cloud research working groups.
So, it seems both USA and the EU are initiating efforts to guide the secure adoption of cloud computing by industry and consumer.
Now, I'm wondering about one thing, compared to Europe and the USA, what are the Asian countries doing to guide a secure adoption of cloud computing?
For a testpro like me it is very nice guidelines are being made for the 'Western' countries, but a lot of the 'cloud' is build in the 'East', so this I can't neglect.
Asia is not unified like Europe or the USA, so government guidelines here are not easily made for the many different countries forming Asia.
Private consortia like Asia Cloud Computing Association (see Europe's EuroCloud ) have been developed. But wat about the Asian governments, are they making unified guidelines for Cloud Computing?
John Galligan, Microsoft Asia Pacific's regional director for Internet policy, discusses this, with an emphasis on Singapore, on futuregov.asia and zdnet.asia.
Challenges there still are, one of the sentences made here I want to citate:
'One significant concern regarding cloud technology is the uncertainty over the location where data is stored and how strong data protection is to safeguard against criminal intent.'
This is also the case in the Western world, and as in the West, secure IT-auditing by the Asian governments and private sectors is necessary to test the security of their continuously innovating IT-infrastructure.
Galligan also says :"It's very interesting when people start to look at reliability, the level of redundancy and individual's access to the system, it can move decision makers to understand that maybe their current infrastructure is not as stable and secure as they think it is."
OK, it's a response from an employee of a private firm, but, IMHO, this is the single problem now with Cloud Computing, only with tackling these risks of reliability, redundancy and access, policy makers all over the world can be moved to adopt Secure Cloud Computing.
And that's a mutual challenge for all global parties involved in Cloud Computing: Business, IT-auditing, development and test!!
PS:
I'm no expert on Asian law, this example of cloud computing in Singapore does not have to be the case for other Asian countries, it only wants to illustrate an Asian response to Cloud Computing
Subscribe to:
Posts (Atom)