Having just returned from our biggest IBM security show of the year in Las Vegas I thought it would be a good idea to share some of my personal highlights from Pulse 2013.
Identity and Access Management for Mobile Security
Many of those who attended with an interest in the IAM track of our security sessions would have seen my demonstration of mobile security for hybrid applications. In that demonstration I showed how various security technologies from IBM can be combined to provide a pattern for mobile security in hybrid applications. The technologies, and their business value include:
OAuth for application instance registration, scoped authentication and revocation capabilities
Risk-based access policy for context-aware authorization decisions on sensitive transactions
One-time-password for strong authentication with demonstration of email, SMS, and HMAC authenticator integration
As with many of my demos, you can run it yourself from the hosted demonstration environment. After self-registration navigate to Account Management -> Manage Mobile Application Instances (OAuth). There you will find a link to download the android application. Use the browser on your android device and you can download and install right from that web page. Also on the page is a button to obtain a registration code that you can scan in from the app on your phone. Watch the video – you’ll get the idea.
Several people asked me how it all hangs together – that is probably a topic for a more in-depth article, but at least let me share this architecture diagram showing the various components in the solution and some of the native and web-based flows. I’ve turned the diagram into a short video with animations so you can follow a time-sequence of what the mobile application is really doing.
While on the demonstration site you may also wish to try out the One-time password, and Browser risk-based-access demonstrations as well. These are self-guided, and are a good pre-cursor to the mobile demonstration.
I am always interested in your feedback on these topics, so please feel free to contact me if you have something to share, or you can always comment directly on this blog.
IBM lauches the MobileFirst brand
This actually happened during the timeframe of Mobile World Congress the week before Pulse, however the announcement of the MobileFirst brand is very interesting and timely. I know from talking to a number of customers and industry subject matter experts that security is an incredibly important part of any mobile strategy and I believe that even simple patterns such as the one shown above demonstrate that IBM has a lot of capability in mobile. The brand announcement will drive further investiment in this incredibly pervasive technology and I am looking forward to being a solutions contributor for mobile.
Business Partner Solutions for IAM
A number of IBM Security business partner solutions were on display in the expo hall. With no particular bias, I was very impressed at the quality and depth of value-added services that our business partners are offering in the identity and access management space, built on IBM security products. Some of the offerings I saw personally (alphabetical by company) included:
I also spoke to a variety of other buisness partners during the conference and apologies if I didn’t get to see your offerings in detail or mention them here.
IAM web gateway appliance and integrated security demo
In November 2012 the IBM Security team released the web gateway appliance as part of the IBM Security Access Manager for Web bundle. Available in either hardware or virtual appliance form factors, this appliance combines our world class web reverse proxy (formerly known as WebSEAL) with X-Force backed threat capabilities in a WAF (web application firewall) allowing customers to use a single appliance for addressing a large set of both access and threat requirements. Also thrown in are some basic load balancing and config replication features plus a host of other new management interfaces. The customers I spoke to were very pleased to see this integrated approach to security delivery promising faster time to value and completely abstracting away the middleware software management problem into a firmware upgrade. This was one of the hottest new products discussed for IAM at Pulse and something I believe will see rapid adoption in the coming 12 months.
In an even more recent bundling annoucement the virtual appliance form of the web gateway appliance is in included in the IBM Security Access Manager for Cloud and Mobile offering along with all of the base capabilities required to implement the hybrid mobile security pattern I demonstrated above.
From a demonstration perspective, there is a great integrated security demo of a bunch of products including the web gateway appliance and QRadar. This was put together by David Druker, and you can view it here:
Privileged Identity Management
On the identity side of IAM I was impressed with the demonstrations of the new privileged identity management solution. This allows controlled and audited use of credentials used for privileged access and has tight integration with both our IBM Security Identity Manager server and the Enterprise Single Sign-on client authentication solution. Here’s a demo of PIM:
Security Intelligence and BigData
This partnership between the QRadar folks in IBM Security and IBM BigInsights promises to be able to combine comprehensive analytics of unstructured data (from BigInsights based on Hadoop technology) with a world-class correlation and offense detection engine to deliver unprecidented visibility into business security incidents. This will permit predicitive analytics and new forms of real time threat detection. I don’t pretend to grasp complete details of the technology yet, but I understand the value proposition (and it’s not for everyone) and I can see massive potential here for big companies with lots of historical information that today requires manual forensics. For more info check out this material: http://www-03.ibm.com/security/data/
There are many more topics I could talk about here – I learned a lot at this year’s Pulse conference. I thought it was a great event and I’m glad I was able to share a little about what we are doing in the Identity and Access management portfolio in IBM Security as well.
This article introduces a free, open-source sample application which demonstrates how an external FIDO2 relying party can consume IBM Cloud Identity APIs as-a-service. The application has been written in Node.js and leverages a range of API calls from IBM Cloud Identity (CI) including: User Management FIDO2 APIs OAuth and OpenID Connect Integration The application has […]
In our work at IBM building FIDO2 services for both on-premise (IBM Security Access Manager) and cloud (IBM Cloud Identity) offerings, we have been looking at scenarios for using FIDO2 authentication technology beyond the mainstream use case of browser-based authentication with WebAuthn. One scenario we decided to experiment with is FIDO2 for IoT devices – […]
Those of you who have been reading my recent series of blog posts will realize that I’ve been spending a great deal of time working on FIDO2 and WebAuthn related technologies. As part of this effort which has been in progress on and off for more than 12 months now, I put together a debugging […]