Blog posts by Sebastian Rohr

Humans are visual beings, or at least: I am game for eye-candy!

In spring this year I was accompanying a friend and business partner of mine to shadow him on a visit to one of the "Managed VoIP Service" vendors, as he (my friend) is also running a small System Integrator company. Technology wise, this was quiet interesting as the vendor had some decent developer resources working on their own "linux distro" as core of the VoIP service. After we had gone through all the security detail regarding this approach (which is why I was there, after all!), the discussion turned towards the client and their use of the tool. As with any "messaging" solution introduced lately, the client GUI consisted of a narrow side-panel, to be positioned at the right hand side of the screen. Why do I tell you all this? Bear with me...

Take Skype for an example (not the current beta though! If anybody from the dev group there reads this:  wrong direction guys! The GUI is BAD), the original GUI is nice, it can float, you can resize, tweak, what you like. Better even: TRILLIAN, the multi-messenger tool. Transparency, skins, all available. Well, our friends from the VoIP service vendor were all good down to earth techies. But no "trekkies" for sure - as their GUI looked like it had been designed during the "Windows for Workgroups" design phase and never changed since. For me it obvious, that rock-solid technology is a MUST - but great UI design can be a unique selling point most vendors seem to underestimate.

Now that I came across PINoptic and they showed me what they had to offer (e.g. visual one-time-pads for mobiles) I was very much interested. Not that no one else before had the great idea of using icons and pictures to verify ones identity or to authenticate - tools like these have been available for the PALM III and PALM V as well as for Windows Mobile (almost) ever since! But these guys took a mathematical approach to it and extended the scheme PIN-like scheme with a crytographic backoffice system. So, instead of putting in your in 4-6 digit PIN at the ATM (Geldautomat, for our German readers :-) ) you touch the buttons representing your "story": man - house - bird - key.  The next time the icons might be mixed thouroughly, showing a totally new number-block, with the icons mapped to other buttons. Actually, a nice way to put in your PIN, and with the use of out-of-band back-channels (use your mobile phone to enter the "derived PIN"!) quite a secure way to authenticate. Hard to explain, with no visual, so go and check out their demo at or help them with the "research data verification game" (clever way to do this, despite the fact that I unsure if I would WANT to put in my details for the "lottery" here - anyone seen the "Mercury Puzzle"???).

Anyway, have fun and procrastinate a bit at

Integration and convergence - for compliances'sake?

Recently the topic of compliance management and enforcement of compliance regulations in relation to identity management solutions has gained momentum.

Latest news about joint offerings from ARCOT and CA on their authentication and authorization products do imply that vendors are looking for ways to further increase the scope of issues they are able to address. On the other hand, CA has taken steps to reduce their own stack of software, as they are selling of the former "Silent Runner" technology acquired a few years ago, thus losing IP on deeper network analysis and correlation - a market field that had been pretty much lost to ArcSight, as CA´s Security Command Center never really was able to gain momentum.

Anyway, vendors are very much closing in to broaden their reach regarding GRC and real-time compliance/audit capabilities. I am pretty much looking forward to see those technologies up and running - so if you already decided to invest here, let me know!

CardSpace Business Cards - PKI 2.0?

As the Gurus of User-Centric ID Management have discussed here and here, the idea of using CardSpace and special "Managed Cards", issued through the use of the Microsoft Acrtive Directory, InfoCards could actually become sort of an authentication token not only for your self, but for you being am employee of said issuer of the respective InfoCard. As managed Infocards are designed to be used as sort of community/customer ID, why not use it to verify if somebody IS actually working for the company he claims to work for.

Impersonation still is a threat today. I experienced this during the Microsoft Security Tour that I recently attended in Hanau, Germany. One of the main reasons was, that my successor with the position as Chief Security Advisor, Michael Kranawetter, was about to present CardSpace to the mainly developer-oriented audience. After sharing a coffee or two, Michael stepped up to the stage and prepared for his presentation.

The big surprise came without a single bit of a warning: Michael greeted the audience and said: "Welcome to this session, my name is Sebastian Rohr, and I am the Chief Security Advisor for Microsoft Germany!" Well, there was only one guy in the audience who got puzzled besides myself, my friend Stefan, sitting right next to me! Michael easily showed, that in todays business you should not trust everybody who is wearing a "speaker" badge :-) one should ask for proof of the claims stated.

Anyway, back to the point: using a "Business InfoCard" issued by your employer does not only make it easier to access, say, the company online-store and authenticate yourself. It can also be used in B2B situations, where you hand over your card and your communication partner can easily check that your name, title and affiliation are, in fact, valid. In addition, corporate information such as tax ID, location of the company and the official (and pretty up-to-date!) info on board members and the Chairman could be included. Nice!

Sitting over a nice glass of wine, one could drift off and, as thoughts come and go, get creative. Be it the impact of the heavy Merlot or too much sunshine: IF we have an established technology that offers easy issuing and management of credentials, spiced with corporate information and used in an interoperable environment that supports easy "online check" if the information presented is still valid... and all this cross-company...with an extensible range of re-use... wouldn`t THAT be the dream of all those PKI guys?

Lets face it: PKI has been struggeling all these years to become and remain an important part of the IT infrastructure of all large organziation. Sometimes the struggeling lead to the "near-death", sometimes PKI managers still hunt for the killer-app that will put their technology investment to use. Even IF the PKI was put to good internal use, leveraging it outside the company was rarely successful. Now, using the above mentioned managed Business Cards, we would really be able to do all the things we failed to achieve with using x509 certificates - well, besides encrypted email maybe!

I am really looking forward to your replies, either to be sure that it WAS too much sun and Merlot, or to kick-off a new thread on mis-using user-centric ID management in the enterprise ID management space!

SAPPHIRE Berlin Day 2

Have you ever been to SAPPHIRE?


You should!

Despite my young age, I guess here is where you find how the spirit of the IT industry might have been in "those days", where multi-million dollar Mainframe deals were made. At least, that is the impression you get when you stroll around. I have been to quite some trade fairs, special meetings and vendor events - all with a rather impressive set of "supporting events" and executive receptions. But recent years have shown a decrease in the investments vendors were willing to spend on these little extras. Looks like SAP still has got some budget to spend...

But let us get back to business - executive business, this is! When it comes to providing strategic business perspective, coming here as manager or executive you get what you expect: visionary statements, large audience keynotes and a nice overall setup. From a technology perspective though, it is quite surprising that one can only get their hands on a small number of technically versed representatives who are able to show a little more than flashing slides and animated demo screen-shots. Well, one could argue that this is not TechEd, which will take place in autumn here in Berlin and were I will definitly attend also, and one must consider the "business oriented" approach of SAPPHIRE. Point taken, rest assured! But I was NOT talking about a nuts&bolts session on how to configure x and get y out of that interface. I was merely looking for people to tell me just a little bit more about what became of MaxWare, were GRC overall will be going and what the combined strategy for managing identities within (and beyond) SAP will be. I will take those questions home with me, unfortunately...

Given that, I made best out of a session with one of the solution marketing guys, who assured to me that the IP as well as the human resources of the MaxWare acquisition were secured and the now joint teams from Netweaver IdM and MaxWare are working hard to push the integration depth. Nice - and from my point of view obvious - information: SAP will not push their newly acquired IAM technology as an independent offering but will concentrate on delivering added value to existing SAP-centric customers. I will definitly catch up him to extend our late-evening discussions at the Hamburger Bahnhof. Thanks again for the insights!

On a completely different note, the RIM partnership seems to kick-in pretty nicely with a "mobilized" SAP CRM and Blackberry integration, which the RIM representative dared to demonstrate live during the keynote (something which I would not have dared, given my recent experience with reliability of the 3G network connectivity - especially with a few thousand people around you all carrying a mobile phone!)

I will get back to you all with more gossip tomorrow, with news on the Zucchero live perfomance (see budget joking above!) and a special feedback from the Business Objects keynote of CEO, Mr. Schwartz!

Managing External IDs

Have you ever encountered procedural problems while re-engineering your hiring process, retirement or resignation processes to adopt it to your brand new IAM solution? Did you feel that modifying your IAM system to cope with all the different requirements, access rights and approval chains might as well be tackled through writing your own IAM system? Fine! Then you are in the best company you can imagine, because almost everybody went through that deep sorrow you feel. Now imagine you have to do this all for each and every external identity your company deals with in every business unit - do I hear a muffled sobbing, or - is it somebody screaming loud and running away in pain?

The average IAM project either comes to ist limits with managing all internal identities, logins, usernames and access levels one can have. Adding external resources and having them provisioned with all necessary rights - and especially restrictions! - may well go beyond what your vendor claimed his software was capable of doing. That is seldomly a matter of technology, or better, seldomly ONLY technology related, but deals greatly with managing the rather weird processes of hiring and getting rid of external labour resources. Want an example? Here we go: imagine a big broadcasting company, or even better one of the monolithic public broadcasting services here in Germany. Now imagine this behemoth has to deal with new media, such as IPTV, on-demand content and the like - could and would this be done by internal resources? I bet there would be dire need for some technophilic and hip member of the blogosphere to chip in his techno-magic skills! With deadlines approaching fast and youngsters being too reluctant to get an official full-time emloyee (FTE) working contract (not that positions like these could not be generated out of thin air at a public broadcasting station!), one would aim for the "external editor" model. So far - so good! Now that our young heroe is NOT going to be a FTE, the usual way of getting him access to networks, laptops, servers and apps - the way through the HR hiring process - will definitly not work for him. He will not get a HR ID as he will not get regular payments, and as such he will not be provisioned through the official channels. Maybe HR does not even get involved until some later point in time if the chief editor has his own budget for external workers. In addition, the standard processes would not be of any assistance as the new guy would need access to systems that are probably not part of the global provivioning procedures or - even worse - that guy would need administrative access to some production machines! Therefore, designing special processes for hiring and changing externals as well as managing access rights and priviliges for them without having to get them into all the internal directories and databases is definitly a MUST for big IAM projects. Roles and rights management should accomodate for external and internal resources - thus making exceptions the norm. Really sounds like a nightmare huh? Come to EIC 2008 and join my colleague Felix Gaethgens and me in our session "Managing External Identities"! Looking forward to meet you in Munich and find ways to wake up from that nightmare!

The physical, the digital and the real world

During my recent analyst calls and briefings I came across a bunch of companies and products that all start to tackle an area I have been interested in for quite a while:

getting the "holistic security" approach well beyond the borders of our mindset - beyond the digital realm! Being a CISSP and full of interest for social engineering as well, "security" has always been a wider topic to my understanding. And it looks like the industry is catching up...

First of all, there are those companies that try to bridge the management gap between native systems of both worlds, such as IDpendant. Then there are coampanies such as Imrivata with their SSO appliance or Made4Biz with their "Dynamic Security" product, both of which use combined functionality of established time&attendance (physical access management) solutions together with mechanisms in the IT access management (authentication) domain.

For IDpendant, making the joint administration of access cards (time&attendance with RFID, Legic/Mifare), digital identities and certificates is the main focus - one that I find to be most attractive as lifecycle management for cards and certificates has only recently be added to the functionality of the Identity Lifecycle Manager, property of Microsoft. Microsofts solution does lack the "physical" side though, and that is where the XML oriented middleware kicks in that IDpendant uses to get things together. Getting the RFID object out of the card and writing it to a field in the AD while creating a certificate through the CA at the same time AND getting the card layout printed to the blank card (personalization) is a pretty nice piece of integration work.

Now that Imprivata and Made4Biz are able to get the "attendance" part of the physical solutions as input for their authentication process. the "real integration" of the realms seems to be getting closer! Users can only log in to their workstations if they have previously swiped their access card - nice! Even if users share their passwords, misuse is countered through the deactivation of "absent employee users".

Well, not all that shines is gold (uhh, german sayings...) - there are definitly flaws to that approach, but I see rising interest the topic...

Would love to hear from you guys - thoughts, comments?

PS: on a sidenote, Imprivatas "ProveID" concept is pretty cool - it actually provides IAM technology (authentication, that is) for applications without the need to implement that for each app. Quite the idea behind our KCP vision of layered IAM - simply an authentication layer that pops up any time you need it!

User Centric IAM - all a lie?

I talked to my Sensei-san, Dr. Kpatcha Bayarou of Fraunhofer SIT, recently and allthough only having a few minutes, we came to some extreme views on what User Centric IAM really was about.


The power to control who gets access to what of my content and information! You are reading this text without disclosing anything about yourself, which is due to  my totally hedonistic way of "sharing the knowledge" ;-) . Ok, one might say it is to lure some of you into registering for this site, for our newsletters and even some of the reports. That is, to get YOUR IDENTITY and YOUR MONEY ;-)  Do you get a feeling where this will go?

Until recently, anybody who had something to offer on the internet (or elsewhere in the brick&mortar world) would request your registration to do business with you. This was tedious, had lots of flaws and still puts a  lot of burden on us consumers, especially the ones with the infamous "Geiz ist geil" attitude, always hunting for the best price of a merchandise. These bargain hunters would willingly subscribe anywhere and register with any online-shop where they would be able to buy something marginally cheaper of get their hands on a shiny new gagdet first. Well, we all did this sometime, somewhere, didn't we? It may even have been just to get a special software that we would need to get something done quickly...

There the bargain hunters end up with a multitude of logins and passwords, as if we had known it. The background is the same everywhere: somebody who has something we want won't let us have it until we sacrifice/disclose some of our identity information. Actually these people have power over us, and they are executing it freely. We seem to ignore this fact, as we are so much used to "register for free...". This is seldomly "free", we pay with facettes of our identity, and those are valuable to me.

Wow for VAAU!

Ok, nothing is more boring than yesterdays news, I guess!

Despite this oh so true statement, especially in the blogosphere, I would like to rant about SUN's recent acquisition of VAAU, a small company that offers tools around role mining and role engineering as well as compliance.

I had the sincere pleasure to work with some of the VAAU EMEA people and found both their tools and their approach to be very exciting. SUN in Germany is also very excited - at least the SUN guys I talked to lately - and they are eager to put their new tools to work exclusively, bearing in mind that VAAU was open to most IAM vendors before and will now probably go exclusive with SUN ID Management solutions. I'd say this is quite a punch for the remaining bunch...

Same as SAP has to prove that their Maxware deal was worth the prize, SUN now has to make sure that the competitive advantage of exclusive access to VAAU technology can be supported with special ties and deeper integration with their IAM solutions. I intend to closely watch these guys next year, and probably have a chat or two with representatives of both sides! This is an invitation - but you know that, don't you?

See you all soon


Hello World...

Welcome to my world of Digital Identity - hopefully it will be as entertaining (and hopefully at least slightly insightful) for you to read as it is for me to write!

First of all, I would like to post my vision own of digital identities - which might slightly differ from what others think... there are some people out there who have rather far fetched visions, driving the future of how our digital lives will look like in some five to ten years or even beyond that. What I would like to sketch is rather short sighted for being called a vision, nonetheless this is far from being reality, to my own regret!

Let us start with our normal daily identity treadmill - booting my PC and... logging in... Ok, well...starting my Email client and... logging in! Getting a nice message that my Blog is online, and these & that are the credentials to... log into it. Catch my drift? Anyway, we all know this and there are products out there to tackle these problems, some doing a great job, some only improving the situation slightly. Most of these solutions come as enterprise packages, with lots of administration and a beautiful (or not so beautiful) GUI to tweak and turn. So, my work place identity/-ies are taken care of. Nice! But what happens with the "other" digital identity, my personal, private one? There is no admin to take care of it, there is no ID management tool that coordinates and keeps track of everything. And if there was - how would this thing cope with me being on the road all the time?

Well, there are tools for this also, one might say. And yes, some of them are pretty elaborate, mainly those based on some sort of USB memory stick with security functions. None of those do offer me the security and usability I would be looking for, though! What happens if I loose the USB stick? What happens if I change the password to access it, and then forget the right password due to me being only a lazy human?

As I had the pleasure to speak at a security conference lately, I was bound to ask: where is my digital drivers license? (courtesy of Dick Hardt, some will remember!). But could Dick be more accurate? His analogy holds true in most scenarios! Often I only need to proove that I am of certain age to access "content" - and we have our own little identity crisis here in Germany around this since the BGH (Federal High Court) ruled that XXX content needs to be protected by proper age verification. In other scenarios, it is only necessary to prove that I am that certain guy who registered some account and needs access to it. No need to disclose "real" personal info - just a verification that I have a valid claim to access the information in question. Thus, claims based ID management, such as discussed by Kim Cameron, come into play (but this is really the future, I guess- I won't start wishful thinking until next year!). 

One could come with more and more of these scenarios, each with small but significant deviations from each other. Most of those could be tackled with some sort of digital drivers license, I presume. And I would be mre than happy to get my hands on Dick Hardts' digital drivers license any time soon... just to check out if I could buy Vanilla Stoli with it in Canada!

Cheers and a wonderful christmas time as well as a perfect New Years Eve!

See you all soon


Discover KuppingerCole

KuppingerCole PLUS

Get access to the whole body of KC PLUS research including Leadership Compass documents for only €800 a year

KuppingerCole Select

Register now for KuppingerCole Select and get your free 30-day access to a great selection of KuppingerCole research materials and to live trainings.

Stay Connected



AI for the Future of Your Business Learn more

AI for the Future of Your Business

AI for the Future of your Business: Effective, Safe, Secure & Ethical Everything we admire, love, need to survive, and that brings us further in creating a better future with a human face is and will be a result of intelligence. Synthesizing and amplifying our human intelligence have therefore the potential of leading us into a new era of prosperity like we have not seen before, if we succeed keeping AI Safe, Secure and Ethical. Since the very beginning of industrialization, and even before, we have been striving at structuring our work in a way that it becomes accessible for [...]

Latest Insights

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00