Blue Ocean

Although the managed security services (MSS) is a relatively well understood and mature market, a few innovating startups are beginning to challenge the current structure of perimeter security. The interesting question at hand is whether the rapid emergence of cloud computing and the de-centralization it engenders challenge the whole notion of perimeter security, forcing our industry to re-invent today's approach to managed security services.

Today's managed security service providers (MSSPs) essentially offer perimeter security management outsourcing. Customers still have to buy and deploy in-premise security equipment such as firewalls, IPD, IDS and the rest. The tedious day to day management and continuous policy process is delegated to the cloud, but the security boxes remain. From that standpoint, todays managed security services fall short from moving the infrastructure cost and complexity of perimeter security to the cloud.

This brings the question of what happens to perimeter security when enterprise mission critical data and applications start migrating off the IT network to the cloud? How does an enterprise create, enforce and maintain security, access and auditing policies in a world where sales data reside at SalesForce.com, and departmental applications are running on Google App engine, Microsoft Azure or Amazon EC2? In short, what does perimeter security mean when the perimeter extends beyond the familiar boundaries of today's corporate network?

One approach is for SalesForce, Microsoft, and Google to create a home-grown perimeter security management service, on top of their respective cloud infrastructure. Of course, the PAAS (Platform as a Service) vendors will have to enable their cloud perimeter to be flexible enough to adjust to policy requirements as diverse as their customer base. Of course, since applications will migrate across machines depending on load, these polices need to be able to follow the data and applications across data-centers, servers and virtual machine slices dynamically. In many ways, this means that perimeter security has to be virtualized in the same ways as the virtualized data and applications that they are attempting to protect. The problem with this model is to force PAAS providers to go beyond their initial core competency. To go from Web services infrastructure providers driven by large economy of scales, to full IT infrastructure security & compliance provider. That is a lot of complexity and competency to absorb, even for a Google or a Microsoft.

Another model would be for the PAAS to think as a true platform provider and enable specialized security vendors to start building such services on top of their platform. In that model, MSSPs would start building virtualized, multi-tenant perimeter infrastructure on top of their favorite PAAS, and then, sell perimeter security as a service within these environments to their customer base. Obviously, this would require a different platform than the current MSS infrastructures. Moreover, MSS providers would have to adapt to each specific PAAS, forcing them to make strategic choices and restrict them to a few partners, who may not fit what their customers want in the first place.

The last alternative would be the emergence of standalone network security services in their own cloud (separate from the PAAS). The new security cloud would acts as a virtual perimeter by funneling, inspecting, filtering and policing all traffic. Think of the perimeter as dissolving and being replaced by a defense network that consistently protects all corporate network assets independently of where these assets live: within an enterprise, within a SAAS, within a PAAS. For the same reason that Web application software tends to be very different than security software (industry consolidation aside), it would enable cloud providers to focus on what they do best: a cloud to build and deploy custom apps, a cloud to secure them. For the customer, it would enable one single set of policies to be defined, implemented and enforced in a single place independently of the where network application and data actually reside (inside or outside the enterprise).

This is somewhat similar to the concept of "clean pipe" that many MSSPs have been contemplating for several years. The difference is that the move to the cloud and SAAS becomes the compelling driving force that shifts today's legacy deployment model of network perimeter security towards a true in-cloud model. The exact timing of such transition remains unclear, but if one believes that cloud computing is an unstoppable trend, perimeter security may be due for significant transformation in the years to come.

Posted by Nico Popp at 9:29 AM | Permalink | Comments (0)

There is no doubt that mashups will be an important construct of the next Internet. The ability to "compose" distributed Web services into one single aggregate service or view is a significant enabler. The lightweightness of HTML and JavaScript speak to the simplicity of a successful programming model. Add to this the emergence of open standards like OAuth, and the need to distribute functionality across screen boundaries (PC, mobile and IP TV), and the picture becomes very clear; mashups and widgets are likely lead the componentization of the Web and become an important distribution mechanism.

For mashups to become ubiquitous, a trust infrastructure is needed. To establish trust between a widget aggregator (a consumer portal, the enterprise portal or your homepage or TV screen), and a widget provider, protocols like OAuth essentially rely on the exchange of shared secrets. This works well when there are only a few big portals serving as aggregators. However, because they require pair-wise trust relationships, the approach does not scale to a truly distributed environment. In particular, the model breaks very quickly in the enterprise as the number of network end-points (enterprise portals and SAAS) explodes.

Ravi Ganesan and his new company SafeMashup may have found the answer to this thorny problem. Ravis' answer is brilliantly simple: reuse the existing and proven trust infrastructure of the Web. Indeed, SafeMashup enables existing CAs to issue credentials to mashers and mashees. These credentials are identical to the one they issue to Web sites today. Because Web 2.0 protocols such as OAuth require a shared secret, Ravi uses the SSL handshake and the issued SSL certificate as a secure method to establish a shared secret between the masher and the mashee. This approach allows him to layer SSL and certificates on top of the Web 2.0 protocols without requiring any change to these protocols. Brilliant!

There is no doubt that broad deployment of mashups requires an open, standard-based scalable trust infrastructure. Reusing the existing PKI infrastructures and its rugged SSL cousin strikes me as a very good idea! After all, when the wheel works, why reinvent the wheel. So, "bonne chance" to Ravi and SafeMashup. Indeed, there is something truly exciting brewing in San Antonio, Texas.

Posted by Nico Popp at 4:55 PM | Permalink | Comments (0)

There have been a few very insightful discussions from Chris Messina and other regarding the PIP as a secure file, so I thought I would share some of our longer-term product goals.

Today, the PIP file vault is a personal digital locker for our users to manually upload their most personal files. That by itself is not an innovation. In fact, the Web is full of personal storage services like Gmail. Online storage provides immediate and useful value, yet its usefulness is limited by the amount of work an end-user is willing to commit (uploading takes work!).

Now it is interesting to consider how this simple Web 1.0 model of personal digital storage evolves when combined with an OpenID provider. Together, can these technologies allow us to transfer and store in one single place under our control the personal files, private data and rich media content that is today spread throughout the Internet? In short, can a simple file vault become the in-cloud "time machine" of our distributed digital lifestyle?

A SAAS and device-centric view of cloud storage:

A lot has happened with network storage in the last few years. One of the most notorious disruptions is Amazon S3. I would characterize Amazon S3 as a SAAS-centric view of storage. Web applications can outsource the storage function to a highly cost-effective network that already has reached economy of scale. Obviously, it fits the Amazon economic model perfectly. Closer to the end user, we find Microsoft and Apple storage services. Their approach is similar in concept. To them, cloud storage is merely a device enhancement and synchronization is their lingua Franca (iSynch for Apple, Live Mesh for Microsoft). The concept certainly has merit for users with data spread across multiple devices. However, this is a very device-centric view of the world. It fails to realize that increasingly, our critical data resides across many Internet Web Sites with no ability to synch.

A user-centric viewpoint: centralized storage for distributed private data

So, what happens now when one looks at storage with a Web 2.0 user-centric view instead of the cloud-centric view of Amazon, and the device-centric view of Microsoft and Apple? One sees independent, distributed and sometime competing Web services. Through these services, users store personal information, create new data, and acquire digital content. Some of that content is low value and can be left behind. Some of his data is social in nature and is probably best shared with our Facebook friends. However, some of this data is also highly confidential and personal in nature. In that case, we, the end user, should be able to request its safe transfer, and backup to a digital locker that we fully control (the OP).

Towards a "Locker Connect" mechanism

Using the OpenID and OAuth models, such private data transfer can be authenticated and authorized by the end-user (although the data flows from the RP to the OP). The locker network end point address can be discovered as any identity attribute would. Finally, a user interface ala Facebook Connect can provide a friendly user experience while ensuring a user-centric control point (the user controls what, where, when and if the data is being sent).

The "wow" effect

The use cases certainly sound unlimited. Think digital health care and the $20B stimulus package: whether I am accessing my doctor, hospital, lab or pharmacy Web sites, I can now authenticate across all health service providers and authorize the audited transfer of personal health records back to my locker. Think rich media content: I can now purchase digital music, movies, or books across multiple e-tailers and have the bits (or maybe just the digital rights) sent back to my locker. Think payment and billing: please, send all my purchase and online statements back to my digital locker.

Yes, we can! With data portability and OpenID, a simple file vault can grow into a much more compelling personal identity service. And who knows. With security and private storage, we may even have a real business model!

Posted by Nico Popp at 9:37 AM | Permalink | Comments (0)

The PIP team just released a new feature on Friday: a secure digital vault to store your most personal documents online. Think of it as a digital lock box in the cloud to store copies of your most important documents online (deed of trust, will, passport, property pictures for insurance, etc).

Since, these documents are your secrets, all files are encrypted using key management best practices. To increase security, access to the vault requires two-factor authentication. If you already have a VIP token, simply link it to your PIP account. For our most cost conscious PIP users, we offer a free mobile version of the VIP OTP token. It can be downloaded to your phone here (I use the iPhone Beta version that will be available soon). Once strongly authenticated, the vault opens (Flash is your friend) and you can begin to upload files.

The activation process is really straightforward, and our usability team has done a lot of work on the user interface. Moreover, it is free to all PIP users. So, try the new features and tell us what you think. By combining OpenID, strong authentication, password vault and secure storage, the PIP is getting one step closer to realizing VeriSign's long term vision of a user-centric identity service that will enable and protect our digital self.

Posted by Nico Popp at 9:24 AM | Permalink | Comments (0)

Great news for OpenID aficionados, the largest identity social network is embracing OpenID. With 221M users, one could easily conclude that OpenID has just received the stimulus package that it needed to finally achieve critical mass. But, what does it really mean for OpenID? While we are all looking forward to the day FaceBook becomes both an OpenID provider and relying party, the initial impact is more likely to be a significant change in the OpenID user interface. As shown, here and there, is clear that from a UI standpoint, Google and FaceBook are converging in terms of how to achieve login and exchange of personal data across relying parties and social networks.

While FaceBook will likely integrate OpenID as the "alternate" login method for FaceBook Connect, Google and its followers will do the same with Open Social and Google Friends Connect (in the case of Google, you may also get the friendly Yahoo!, MySpace and AOL followers). By becoming the alternate login method (but a more obscure one), the risk for OpenID is to be relegated to the level of OAuth and SAML as authentication protocols without any consumer brand recognition. Alternatively, OpenID may rise above the "open stack" plumbing to become the network mark that ensures interoperability across the FaceBook and Google networks. That my friend, is of course politics, but with a Facebook on board, it would appear that this week, this old chimera of federated Internet identity may have made a significant leap forward.

Posted by Nico Popp at 1:53 PM | Permalink | Comments (0)