Monthly Archives: July 2013

Mitigating OAuth 2.0 Security Issues with Good Profiling

Published July 25, 2013 | By Dan Blum

While any alternative to the cross-service password sharing anti-pattern is goodness, OAuth 2.0 also introduces some insecure flows to accommodate a broad range of use cases and to be as developer-friendly as possible. A previous post explores these assurance issues,… Continue reading →

Posted in Dan Blum | Tagged authorization, federated identity, OAuth

A Systematic, Comprehensive Approach to Security

Published July 24, 2013 | By Dan Blum

One of the central pillars of the security model we built in our knowledge base at Burton Group was called “A Systematic, Comprehensive Approach to Information Security.” I’ve always found this model helpful to use in any security analysis so… Continue reading →

Posted in Dan Blum | Tagged information security, security architecture

Bob Blakley Saves Some of the Best for Last from CIS 2013

Published July 19, 2013 | By Dan Blum

Bob Blakley, Global Head Information Security Innovation at Citigroup and my former colleague from Gartner and Burton Group has posted his Cloud Identity Summit (CIS) 2013 presentation in slideshare. It’s called “What if Identity Were Pass-By Reference” and it… Continue reading →

Posted in Dan Blum | Tagged authorization, identity management, security architecture, trust

Automate Everything? Another Cloud Identity Summit Review

Published July 17, 2013 | By Dan Blum

At the Cloud Identity Summit (CIS) 2013 Andre Durand led off the morning keynotes, followed by Gunnar Peterson and Patrick Harding with strong presentations of their own. Patrick’s presentation “Modern Identity: Automated, Discoverable, Scalable” brought Andre’s conceptual framework (reviewed… Continue reading →

Posted in Dan Blum | Tagged CIS 2013, identity management

Cloud Identity Summit Keynotes: Identity – the Enabler of Next

Published July 15, 2013 | By Dan Blum

Andre Durand, CEO, kicked CIS 2013 (#cisNAPA) off with “Identity – the Enabler of Next” – and if I don’t entirely like where “next” is going, that’s not his fault. Anyway, I’ll share Andre’s 9 observations and 1 AHA moment… Continue reading →

Posted in Dan Blum | Tagged CIS 2013, identity management

OAuth 2.0 Assurance Issues

Published July 9, 2013 | By Dan Blum

In a previous post, “REST Uneasy: Do we need to Worry about OAuth 2.0?” I raised a question which I’ll now attempt to answer in some detail.

The OAuth 2.0 protocol is designed to improve security in scenarios where,… Continue reading →

Posted in Dan Blum | Tagged federated identity, OpenID Connect, security architecture

Incident Response, the Cloud and the CSA Control Objectives

Published July 2, 2013 | By Dan Blum

As an information security officer, you don’t want to wait until you’re in the middle of a serious security breach to discover that the forensics, incident reporting and incident responses processes of a cloud service provider (CSP) you’re depending on… Continue reading →

Posted in Dan Blum | Tagged cloud security, CSA