identity – Page 19 – Bredemarket

Always Remember…and Differentiate

I’ve railed against copying the competition with “me too” messaging…and this morning I ate my own wildebeest food and did something about it.

While Bredemarket usually doesn’t mark significant dates, I observed 9/11 on my social channels. While 9/11 is relevant worldwide, it is especially relevant to Bredemarket’s identity/biometrics customers because of its revolutionary impact on our industry.

But I didn’t use the tried-and-true messaging with an image of the former World Trade Center and the words “never forget.” After 23 years, we’ve seen that message thousands of times. It blends into the landscape, like a mention of the band the Dead Kennedys that no longer raises an eyebrow.

So instead I differentiated Bredemarket’s message and said “always remember” with an image of the destruction to the Pentagon. Perhaps that will wake people up to what happened that day.

Apologies to Shanksville. We will always remember you also.

Know Your Recruiter

KYR = Know Your Recruiter.

My two most popular LinkedIn posts over the last two weeks discussed scammy SMS texts I received from people who claimed to work for Randstad and Indeed but clearly did NOT.

THIS post clearly won’t garner tens of thousands of impressions, but it’s much more important: how do you differentiate a real recruiter from a fake one?

The easiest test—which all the fake recruiters fail—is to ask the recruiter to provide their corporate email address. But even that can backfire when the fake provides an email from an ALMOST good domain such as endeede.com and hopes the mark doesn’t notice the difference.

There are other tests, but my “biometric product marketing expert” preferred tests such as comparing a live PAD#-tested selfie against a driver’s license don’t prove anything. Sure, such methods can prove that Anna Morgan is Anna Morgan, but they don’t prove her profession per se (fractional talent acquisition leader / recruiter / career coach).

So for now the best KYR tactic is to ask for a corporate email address. Definitely don’t take the recruiting conversation to Telegram.

# PAD = presentation attack detection. A presentation attack is when you substitute a fake face (or another fake, such as a fake driver’s license) for a real one.

AI image by Microsoft Copilot because Google Gemini still won’t draw people.

KYI Stands For Know Your InMailer

KYC stands for Know Your Customer.

So I guess KYI stands for Know Your InMailer.

My broad and rich skillset

This afternoon I received an email and a LinkedIn InMail from “Alice Ives,” purportedly with Maharah according to her profile. She wanted to tell me about an opportunity.

“Your broad and rich skillset will be of great benefit to our company’s development. The employer is seeking a remote consultant. We look forward to discussing further cooperation opportunities with you. Hope to hear from you soon.”

The InMail after “Alice’s” profile disappeared.

But when I asked for her Maharah email address she didn’t respond, and her profile became invisible to me. I don’t know if “Alice” deleted her profile, if she blocked me, or if LinkedIn removed her.

Know Your Customer in the real world

Of course in the real world outside of social media, Know Your Customer procedures can be rigorous, encompassing government-issued identity documents, biometrics and liveness detection, information from public and private databases worldwide, and even geolocation.

But from what I recall before Alice’s profile disappeared, her claimed geolocation was “United States.” Just one possible indicator of fakery.

Did you spot the others?

On Attribute-Based Access Control

In this post I’m going to delve more into attribute-based access control (ABAC), comparing it to role-based access control (RBAC, or what Printrak BIS used), and directing you to a separate source that examines ABAC’s implementation.

(Delve. Yes, I said it. I told you I was temperamental. I may say more about the “d” word in a subsequent post.)

But first I’m going to back up a bit.

Role-based access control

As I noted in a LinkedIn post yesterday:

Back when I managed the Omnitrak and Printrak BIS products (now part of IDEMIA‘s MBIS), the cool kids used role-based access control.

Public Domain, https://commons.wikimedia.org/w/index.php?curid=6907222.

My product management responsibilities included the data and application tours, so user permissions fell upon me. Printrak BIS included hundreds of specific permissions that governed its use by latent, tenprint, IT, and other staff. But when a government law enforcement agency onboarded a new employee, it would take forever to assign the hundreds of necessary permissions to the new hire.

By Love Makes A Way – https://www.flickr.com/photos/lovemakesaway/15802177909/, CC BY-SA 2.0, https://commons.wikimedia.org/w/index.php?curid=101171928.

Enter roles, as a part of role-based access control (RBAC).

If we know, for example, that the person is a latent trainee, we can assign the necessary permissions to a “latent trainee” role.

The latent trainee would have permission to view records and perform primary latent verification.
The latent trainee would NOT have permission to delete records or perform secondary latent verification.

As the trainee advanced, their role could change from “latent trainee” to “latent examiner” and perhaps to “latent supervisor” some day. One simple change, and all the proper permissions are assigned.

But what of the tenprint examiner who expresses a desire to do latent work? That person can have two roles: “tenprint examiner” and “latent trainee.”

Role-based access control certainly eased the management process for Printrak BIS’ government customers.

But something new was brewing…

Attribute-based access control

As I noted in my LinkedIn post, the National Institute of Standards and Technology released guidance in 2014 (since revised). The document is NIST Special Publication 800-162, Guide to Attribute Based Access Control (ABAC) Definition and Considerations, and is available at https://doi.org/10.6028/NIST.SP.800-162.

Figure 2 from https://doi.org/10.6028/NIST.SP.800-162.

Compared to role-based access control, attribute-based access control is a teeny bit more granular.

Attributes are characteristics of the subject, object, or environment conditions. Attributes contain information given by a name-value pair.

A subject is a human user or NPE, such as a device that issues access requests to perform operations on objects. Subjects are assigned one or more attributes. For the purpose of this document, assume that subject and user are synonymous.

An object is a system resource for which access is managed by the ABAC system, such as devices, files, records, tables, processes, programs, networks, or domains containing or receiving information. It can be the resource or requested entity, as well as anything upon which an operation may be performed by a subject including data, applications, services, devices, and networks.

An operation is the execution of a function at the request of a subject upon an object. Operations include read, write, edit, delete, copy, execute, and modify.

Policy is the representation of rules or relationships that makes it possible to determine if a requested access should be allowed, given the values of the attributes of the subject, object, and possibly environment conditions.

So before you can even start to use ABAC, you need to define your subjects and objects and everything else.

Frontegg provides some excellent examples of how ABAC is used in practical terms. Here’s a government example:

For example, a military officer may access classified documents only if they possess the necessary clearance, are currently assigned to a relevant project, and are accessing the information from a secure location.

Madame Minna Craucher (*right*), a Finnish socialite and spy, with her chauffeur Boris Wolkowski (*left*) in 1930s. By Anonymous – Iso-Markku & Kähkönen: Valoa ja varjoa: 90 kuvaa Suomesta, s. 32. (Helsinki 2007.), Public Domain, https://commons.wikimedia.org/w/index.php?curid=47587700.

While (in my completely biased opinion) Printrak BIS was the greatest automated fingerprint identification system of its era, it couldn’t do anything like THAT. A Printrak BIS user could have a “clearance” role, but Printrak BIS had no way of knowing whether a person is assigned to an appropriate project or case, and Printrak BIS’ location capabilities were rudimentary at best. (If I recall correctly, we had some capability to restrict operations to particular computer terminals.)

As you can see, ABAC goes far beyond whether a PERSON is allowed to do things. It recognizes that people may be allowed to do things, but only under certain circumstances.

Implementing attribute-based access control

As I noted, it takes a lot of front-end work to define an ABAC implementation. I’m not going to delve into that complexity, but Gabriel L. Manor did, touching upon topics such as:

Policy as Code
Unstructured vs. Structured Rules
Policy configuration using the Open Policy Administration Layer (OPAL)

You can read Manor’s thoughts here (“How to Implement Attribute-Based Access Control (ABAC) Authorization?“).

And there are probably ways to simplify some of this.

Were You Affected by the National Public Data Breach?

(Part of the biometric product marketing expert series)

Fiona Jackson of TechRepublic shared this two days ago.

In August, a hacker dumped 2.7 billion data records, including social security numbers, on a dark web forum, in one of the biggest breaches in history.

The data may have been stolen from background-checking service National Public Data at least four months ago. Each record has a person’s name, mailing address, and SSN, but some also contain other sensitive information, such as names of relatives…

Note that 2.7 billion data records does not equal 2.7 billion people, since a person may have multiple data records.

Was your data leaked?

Rich DeMuro posted a link to see if your data was leaked. If you want to check, go to https://npd.pentester.com/, enter the requested information (you will NOT be asked for your Social Security Number), and the site will display a masked list of the matching information in the breach.

One lesson from the National Public Data breach should have been obvious long ago: anyone who relies on a Social Security Number as a form of positive identification is a fool.

Identity/Biometric Professionals, Does Your Company Need the Right Words?

Identity/biometric professionals require the right words to raise product awareness, influence consideration, or drive conversions.

Bredemarket helps you create the words your prospects and customers must hear now:

Short-length text such as blog posts.
Medium-length text such as white papers.
Longer text such as analyses and proposals.
Retainer arrangements.

With over 29 years of identity/biometric experience, John Bredehoft of Bredemarket is the biometric product marketing expert that can move your company forward.

If I can help you, book a free 30 minute meeting with me on Calendly.

If you’re not sure about using Bredemarket, here is more information.

Identity professionals…

Are My 15 Second Videos Too Long?

You’ve probably noticed that I’ve created a lot of Bredemarket videos lately.

My longer ones last a minute. That’s the length of a video I haven’t shared in the Bredemarket blog (it’s on Instagram) summarizing my client work over the last four years. My early July identity and Inland Empire reels are almost a minute long.
But I also make much shorter ones that last about 15 seconds, such as a brief identity video (it’s on Instagram also). My repurposed identity and Inland Empire reels are also that length.

But…

Even Bredemarket’s “short” 15 second videos may be TWICE AS LONG as they should be.

The Microsoft 8 second study

In 2015, Time magazine reported on the results of a Microsoft study:

Researchers in Canada surveyed 2,000 participants and studied the brain activity of 112 others using electroencephalograms (EEGs). Microsoft found that since the year 2000 (or about when the mobile revolution began) the average attention span dropped from 12 seconds to eight seconds.

As many noted, a goldfish’s attention span is 9 seconds.

Celestial eye goldfish image public domain.

Some argue that the 8 second attention span is not universal and varies according to the task. For example, a 21 minute attention span has been recorded for drivers. If drivers had an 8 second attention span, we would probably all be dead by now.

But watching a video is not a life-or-death situation. Viewers will happily jump away if there’s no reason to watch.

So I have my challenge.

Ironically, I learned about the 8 second rule while watching a LinkedIn Learning course about the 3 minute rule. I haven’t finished the course yet, so I haven’t yet learned how to string someone along for 22.5 8-second segments.

Biometric Product Marketers, BIPA Remains Unaltered

(Part of the biometric product marketing expert series)

You may remember the May hoopla regarding amendments to Illinois’ Biometric Information Privacy Act (BIPA). These amendments do not eliminate the long-standing law, but lessen its damage to offending companies.

Back on May 29, Fox Rothschild explained the timeline:

The General Assembly is expected to send the bill to Illinois Governor JB Pritzker within 30 days. Gov. Pritzker will then have 60 days to sign it into law. It will be immediately effective.

According to the Illinois General Assembly website, the Senate sent the bill to the Governor on June 14.

While the BIPA amendment has passed the Illinois House and Senate and was sent to the Governor, there is no indication that he has signed the bill into law within the 60-day timeframe.

So BIPA 1.0 is still in effect.

As Photomyne found out:

A proposed class action claims Photomyne, the developer of several photo-editing apps, has violated an Illinois privacy law by collecting, storing and using residents’ facial scans without authorization….

The lawsuit contends that the app developer has breached the BIPA’s clear requirements by failing to notify Illinois users of its biometric data collection practices and inform them how long and for what purpose the information will be stored and used.

In addition, the suit claims the company has unlawfully failed to establish public guidelines that detail its data retention and destruction policies.

From https://www.classaction.org/media/planos-v-photomyne-inc_1.pdf.

From https://www.instagram.com/p/C7ZWA9NxUur/.

The Single Solution Microsoft E5 License vs. Best-in-class Individual Solutions

The phrase of the day is “Microsoft E5 License.”

Identity Jedi used is in the 82nd edition of his newsletter.

The biggest threat to every single vendor in the identity space right now are the following words: Microsoft E5 License.

If you read that and shuddered, I’m sorry.

The argument for a single solution

From https://www.microsoft.com/en-us/microsoft-365/enterprise/e5.

Sounds scary. But isn’t Microsoft here to help? Threatscape makes the case.

The cohesive suite of security and productivity solutions provided by an E5 licence can significantly streamline your technological landscape, doing away with a number of on-premises and SaaS tools.

While many organisations opt for the lower-cost E3 licence, they may find this soon requires a supplementary selection of single-solution tools from alternate vendors to patch gaps in its capabilities.

Too many solutions means confusion, an often-disjointed workflow, potential overlap and overspend, and crucially, increased security risk.

By consolidating your collaboration, productivity, automation, and security solutions into a single trusted vendor platform, IT management becomes simplified, redundant solutions can be axed, and ROI can be better measured.

The Microsoft E5 Security Components

So you get everything from a single source with no finger pointing. What could go wrong?

Plenty, according to those who still think of Microsoft as an evil empire.

By Lucasfilm – Star Wars Episode VI: Return of the Jedi, Fair use, https://en.wikipedia.org/w/index.php?curid=38430548.

Let’s return to the Identity Jedi.

Microsoft is making a compelling case to businesses to consolidate into the Microsoft umbrella of products. The ease of use, and financial motives just make too much sense. Now do those customers get a great IAM experience with that? Meh…kinda. Entra SSO is solid product, Active Directory/EntraID is solid, MIM…well….we don’t talk about MIM.

Microsoft Identity Manager

Well, I will talk about MIM, or Microsoft Identity Manager.

Actually, we’re talking about Microsoft Identity Manager 2016.

Microsoft Identity Manager (MIM) 2016 builds on the identity and access management capabilities of Forefront Identity Manager (FIM) 2010 and predecessor technologies. MIM provides integration with heterogeneous platforms across the datacenter, including on-premises HR systems, directories, and databases.

MIM augments Microsoft Entra cloud-hosted services by enabling the organization to have the right users in Active Directory for on-premises apps. Microsoft Entra Connect can then make available in Microsoft Entra ID for Microsoft 365 and cloud-hosted apps

Is it any good? Sources say that, from a quantitative perspective, Gartner Peer Insights ranks several products higher than MIM’s 4.3 rating, including:

Okta Advanced Server Access (4.4)
Ivanti Security Controls (4.5)
One Identity Active Roles (4.7)
Imprivata’s SecureLink Customer Connect (4.8)
Bravura Safe (5.0, 1 rating)

The argument against a single solution

But what of the argument that it’s better to get everything from one vendor? Other companies will tout their best-in-class products. While you’ll end up with a possibly disjointed solution, the work will get done more accurately.

In the end, it’s up to you. Do you want a single solution that is “good enough” and is already pre-made, or do you want to take the best solution from the best-in-class vendors and roll your own?