ICS

OpenID

August 17, 2009

Microsoft Cloud Security Survey and Results

Two weeks ago, J. D. Meier at Microsoft conducted a survey on cloud security practices in cloud computing security, and earlier today he posted a quick summary of the results. Most respondents were architects, though developers and testers answered as well.

Some interesting tidbits:

  • There is significant interest in infrastructure and process related security issues such as SLA’s, policies, and intellectual property.
  • There is significant interest in threats and countermeasures.
  • There is some interest in OpenID as an authentication/authorization approach.

To see all the rest, take a look at his article.

Erhan J. Kartaltepe,
erhan.kartaltepe-at-utsa.edu

Posted at 09:56 PM in Cloud Computing, OpenID, Security | | Comments (0) | TrackBack (0)

July 02, 2009

Sears Adopts OpenID

In the biggest news for OpenID since Facebook's announcement that it would be a relying party, Sears announced that it would do the same. Customers will even have access to special offers and coupons in return for their participation in the community.

Up to this point, it'd been mostly technical organizations that had implemented OpenID. In a recent interview, Chris Messina had been expecting government entities to be relying parties as a way to bring OpenID into the mainstream, but perhaps the commercial sector may help OpenID's goals instead.

Erhan J. Kartaltepe,
erhan.kartaltepe-at-utsa.edu

Posted at 02:30 PM in Cyber Security, OpenID, Security, Single Sign-on | | Comments (0) | TrackBack (0)

May 18, 2009

Facebook Now an OpenID Relying Party

As covered previously on this blog, Facebook announced its Facebook Connect feature a few months ago. Similar to OpenID and OAuth, Facebook is attempting to solve the single sign-on (SSO) problem in a proprietary way. Perhaps due to Facebook's joining of OpenID's Foundation Board, Facebook has announced that it will also be a relying party to OpenID, allowing users to login using OpenIDs from familiar providers.

What would be really interesting is if Facebook became an OpenID provider, allowing other sites to use Facebook as their OpenID provider.While Facebook Connect usage statistics are not readily available, it is unlikely that Facebook would cannibalize their competing SSO solution, unless OpenID became a de facto standard, which it has yet to do.

Erhan J. Kartaltepe,
erhan.kartaltepe-at-utsa.edu

Posted at 11:04 AM in OpenID, Security, Single Sign-on | | Comments (0) | TrackBack (0)

April 15, 2009

ICS Startup SafeMashups Inc. Covered in the News


As covered previously, SafeMashups, Inc., the latest startup from the Institute for Cyber Security, will be speaking at the RSA conference Innovator's Sandbox and has been selected as a finalist in the "Most Innovative Company at RSA Conference 2009" contest they are hosting.

BusinessWire caught the initial press release that discusses each of the ten companies and SafeMashups in specific. From the article:

SafeMashups Inc. is an application authentication pioneer that has developed the MashSSL protocol  which provides a standardized way for web applications to securely identify each other when mashing through a potentially untrusted user or browser. MashSSL allows web applications running emerging Web 2.0 protocols like OAuth, XHR, OpenAJAX, OpenID, etc. to authenticate each other securely using their existing SSL credentials.

SearchSecurity also covered SafeMashups in an article describing how security budget issues may resonate at the RSA Conference, and how vendors that address application security issues are beginning to gain more attention, such as SafeMashups, where its software tools help developers build Web applications more securely. The aricle also mentions the free MashSSL Web Toolkit and free SafeMashups Community Service.

Nemertes Research also highlighed the need for enterprise mashups security in a brief on SafeMashups. In their study, they found 42% of participants are already using mashups, but that for the enterprise, they must implement strong security controls to protect internal mashup applications from insider threats. To this end, SafeMashups has the opportunity to boost enterprise mashup platforms.

More news to come in the following week. Stay tuned!

Erhan J. Kartaltepe,
erhan.kartaltepe-at-utsa.edu

Posted at 03:41 PM in Contests, Cyber Security, Events, MashSSL, Mashups, OAuth, OpenID, Presentation, SafeMashups, Security, Single Sign-on, SSL/TLS, Startups, Web/Tech | | Comments (0) | TrackBack (0)

April 08, 2009

MySpace now Supports OpenID

Yesterday, the OpenID group announced  that MySpace had fully implemented an OpenID Provider to their sngle-signon mechanism, MySpaceID. This might breathe some new life into the OpenID program, as they have a shared competitor in both of their respective scapes: Facebook is the largest competitor to MySpace, just as Facebook Connect is the largest competitor to OpenID.

From the announcement: OpenID aligned perfectly with MySpaceID as an authentication technology. As a social portal, we already embraced the notion of representing identity with a URL. An overwhelming number of our users have setup vanity URL’s (i.e. myspace.com/pixelelated) and so we knew that OpenID would align well with our users.

This might be the most compelling argument for MySpace bringing OpenID into larger use. Other ID providers to have implemented OpenID, such as Google, AOL, and Yahoo!, can lay claim to being identity hosts for a user, but all of those are email addresses, which is a shift in vision from OpenID's paradigm, which is identity-as-URI, a structure that MySpace's "vanity URLs" fill nicely.

Erhan J. Kartaltepe
erhan.kartaltepe-at-utsa.edu

Posted at 10:50 AM in OAuth, OpenID, Single Sign-on, Web/Tech | | Comments (1) | TrackBack (0)

February 06, 2009

Facebook Joins OpenID Foundation Board


Yesterday evening, the OpenID group announced that Facebook has joined its foundation board. If this headline sounds familiar, it is only because it is hot on the heels of Paypal joining the OpenID Foundation Board itself just a week ago.

At first, this seems to clash with Facebook Connect, which this blog discussed a month ago. The single sign-on (SSO) idea (one login for all web apps and sites) remains the same, but unlike OpenID, Facebook connect uses a centralized mechanism (namely, Facebook) to facilitate the exchange.

Facebook joining the board now adds a host of organizations that have joined its board, including Google, IBM, Microsoft, the aforementioned PayPal, VeriSign and Yahoo!. While OpenID has faced some criticisms, including its user interface experience, 2008 was a large year for it, and it looks to be building on that early into 2009. It'll be interesting to see where OpenID ends up at the end of the year.

Erhan J. Kartaltepe,
erhan.kartaltepe-at-utsa.edu

Posted at 10:45 AM in Cyber Security, OpenID, Single Sign-on, Social Networking, Web/Tech | | Comments (0) | TrackBack (0)

January 28, 2009

Paypal Joins OpenID Foundation Board

The OpenID Foundation just announced in a statement that Paypal has joined sustaining corporate member of the Board, putting some extra muscle behind the open single sign-on mechanism. The concept behind OpenID is an intriguing one and has a lot of mainstream support, allowing anyone to act as an OpenID provider or consumer.

Its largest competition lies in Facebook Connect, which this blog discussed just last month. Facebook has the same SSO idea (one login for all web apps and sites), but uses a centralized mechanism (namely, Facebook), leading some to postulate that if it were to take off, all applications using it essentially would be Facebook apps.

SSO seems to be coming closer and closer with multiple converging models. While OpenID has the open standards behind it, a large company like Facebook with a proprietary mechanism wouldn't be the first to win such a battle.

Erhan J. Kartaltepe,
erhan.kartaltepe-at-utsa.edu

Posted at 11:57 AM in OpenID, Single Sign-on, Social Networking, Web/Tech | | Comments (1) | TrackBack (0)