Blog de Joe Freeman

Google Drive is one of those cloud technologies that democratized cloud access to data storage. It lets you securely push all kinds of data into and out of the cloud via Google-provided APIs. APIs and documents are bound to permissions, roles, and identities. Programs accessing Google Docs require credentials, preferably least-privilege credentials, which exist just for a single program's needs. Google IAM supports Service Accounts that are not tied to any human .  They can be enabled and disabled without impacting individual users.  Accessing Google Docs via API means you have to enable  Google Drive API  in a project, create an identity/credentials for the program, and then give the identity access to the docs or the API.  There are plenty of good tutorials that walk you through setting up an account. They are often light on the overall process or how the steps tie together.  It can be confusing the first time or 10 you go through it. Google services are...

We're flooded with data.  Customers and fraudsters have the ability to submit data, purchase services or products, and interact with corporate edge systems.  Every transaction should be wrapped with the following questions. Who are we talking to?  What is the risk if we don't know? Who are we talking about?   What is the risk if we tie it to someone we already know about? What is the risk of poisoning other data? Be skeptical my friend. Video Presentation Presentation Content Speakers notes will be added later

Customer identifiers are the keys we use to bind different bits of information together that we believe represent the same person. This can be more complex than it sounds when you take into account the changing amount of what we know, corporate acquisitions, and partner company interactions. Video Presentation Content Speaker's notes to be added at some future date. A corporation, with divisions that each have apps and with partners. The corporation runs with a single id per person and handles any merge or separation actions by updating all parties. Conway's law: Architecture and communication paths align with organizational structure. Every team does their own thing. Division IDs are bound to the corporate ID at the corporate level. Corporate IDs are bound to the division at the division level.   The corporation creates link ids there shared with the other orgs. The other orgs create link ids and share with the parent corporation.

Identifying the "same person" when they exist in multiple affiliates or multiple contact channels can be messy with a set of tradeoffs. People show up or interact with organizations with different personas. They may be customers or incident reporters or marketing contacts or someone who just happens to make an inquiry. Even customers / registered people may exist as more than one person because of mergers, identity changes personal choice, or system errors. The speaker notes below represent a subset of the comments in the video. Video Associating Personas - Images Organizations make people create accounts in order to bind those people to permissions and preferences. Accounts may provide traceability from account to person but they often don't provide the only link to that person.  People can create multiple accounts for various purposes. This means that an account may be bound to a ...

Companies and organizations deal with people. Sometimes they are highly confident of the person's identity or the fact that it is the same person they dealt with in the past. Sometimes they are highly confident of a reliable identity when it turns out they are actually confident in the account's identity. Other times they have information that would never meet a legal bar. Those types of identities are good enough for marketing or sales or preferences but not good enough for legal documents or other use cases. Video The video goes into more detail than the speaker notes in the slides section. Presentation Content Organizations have all kinds of different contacts with individuals and other organizations. Our confidence in knowing those individuals ranges from anonymous to highly confident.

Companies often manage multiple identity pools, I nternal users, B2C customers, B2B customers, Partner interactive  and , Partner M2M .  Internal, Customer, and Partners often use completely different systems for identity management, authentication  AuthN,  and authorization  AuthZ .  Their automation and identity controls are different even when their security risk profile is the same. The different user types have similar requirements but we often implement them separately. User types are often implemented and managed differently even though they should have the same top-level compliance and security requirements.  Identity systems all need to provide some basic functions. Identity Persistence Identity Creation and Deletion Identity Validation API and integration points for systems and applications. Group and role manipulation Group and role exposure. Self-management via API or Console ...

Identity and Permission inventories first step towards understanding your identity and permission exposure. We want to create a common understanding of the identities and roles used by our systems. Actors that reach out to other capabilities operate with an identity . Capabilities that are asked to do something on behalf of actors are configured to allow or disallow work requests based on the role that the Actor's identity has in the receiving system. Individual components may be operate as both Actors and Capabilities at different parts of their processing. The principal of least privilege says that tasks execute with the minimum permission to do the work request. The simplest way to do this to isolate each actor by giving them their own identities. Each system contacted by the actors maintains an identity/role map that describes the identity's permissions in the receiving system. The table at the right shows The iden...