The Techno-Centric "blind spot" and the Next Level of Intermediation

Too frequently  technology assumes either Identity is not a problem or Identity data issues won't be ever addressed by organisations. The #identity technology market is small, innovation is very limited too, and speaking of data control few companies really "get it." Very few vendors understand the difference between managing and auditing Identity data and controlling … Continue reading The Techno-Centric "blind spot" and the Next Level of Intermediation

Segmentation of the Risk Space and Adaptive Security

Identity Data concerns also change in the context of the new, evolving network models. When organisations move beyond the traditional "perimeter", and when authentication and authorisation mechanisms need to enable users moving in a fluid way reaching the resources they want, a new security "zoning" model is necessary. The common "enterprise" model with a single … Continue reading Segmentation of the Risk Space and Adaptive Security

Expanding the Frame of Risk and Trust Management

Many Identity Management efforts --including large programmes-- are severely limited by the way organisations perceive their requirements. Demand for change and technology upgrades drive the IAM projects while Security and Business benefits are left in the background or even ignored. It is evident that IAM is still seen primarily as a "technology" to improve user … Continue reading Expanding the Frame of Risk and Trust Management

Microeconomics of I&AM: Identity Management in three slides

If I were asked to summarise my views on Identity and Access Management --what it is and what it will be-- I would first point to the complexity involved in delivering I&AM programmes. This complexity is rooted in the normal (conventional) operations of business management of the IT support functions. Given that IT is largely … Continue reading Microeconomics of I&AM: Identity Management in three slides

Security Lost and Recovered (and 4)

A transition to “complete” Security (in the sense described in the previous sections) requires a rediscovery of the context, this complex mesh of relationships through which we live and operate. This change must leverage a recognition of the personal, psychological, organisational and technical aspects. In following this path we need to base the IT disciplines … Continue reading Security Lost and Recovered (and 4)

Security Lost and Recovered (3)

A “complete Security” approach –in the sense I introduced in the previous article (http://carlos-trigoso.com/2014/04/28/security-lost-and-recovered-2/ ) applies a modal logic to grasp the fundamental aspects of any Security arrangement. This is a “deontic logic,” i.e. a logic of obligation, prohibition, interdiction and permission, which is able to represent the various moments of a Security model. In … Continue reading Security Lost and Recovered (3)

Mirage of “Technology”

There is no Security consulting intervention that does not require organisational transformation. It is not only unsatisfactory, but definitely damaging to think otherwise. Security problems appear precisely then when the technology pretends to "automate" processes and safeguards that never existed or are weak in the organisation. Nevertheless the mirage of technology is still presented as … Continue reading Mirage of “Technology”

“Using Erlang in a Web Start-up”

  In “Using Erlang In A Web Start-Up,” Gordon Guthrie (hypernumbers.com) summarises the structural problem that Erlang environments bring to the Solution and the Security Architect: “Security is the  Achilles heel of Erlang. Due to the trusted nature of telephony networks (at least compared to the internet)Erlang has no security.  All nodes in an Erlang … Continue reading “Using Erlang in a Web Start-up”

“Erlang has no locks and no keys”

There is perhaps no better source to understand and learn the Erlang language than the book “Programming Erlang” by Joe Armstrong (“Programing Erlang, Second Edition”, The Pragmatic Bookshelf, 2013). This is detailed, authoritative exposition of the language covering all aspects of it, from the design principles to the procedures to build an application. Regrettably this … Continue reading “Erlang has no locks and no keys”

On the Actor Model and “mailboxes”

Carl Hewitt clarified the relationship between his formulation of the Actor Model and one particular version of it (Karmani & Agha, 2011). The following is a message from Hewitt sent to Lambda The Ultimate in 2013 (http://lambda-the-ultimate.org/node/4853 ). This is a good reference to better understand the Actor Model and how it can be “implemented.” … Continue reading On the Actor Model and “mailboxes”