By the end of 2015, Identity and Access as a Service (IDaaS) will account for 25% of all new identity and access management sales, compared with 5% in 2012, according to recent Gartner research "Are You and the IDaaS Market Ready for Each Other?"

At the end of 2012, the market was $180 million. By the end of this year, that number is expected to jump to $265 million.

Small and medium-sized companies are helping drive interest. They are extending their current IAM architectures and providing access to SaaS services or internal Web-apps. Larger companies in general are looking to support both cloud and on-premises applications with IDaaS offerings.

"The growth we saw in the market last year is showing us that there is acceleration," said Gregg Kreizman, the author of the research. "This coming year is where we will see more (implementation) stories emerging from organizations. Some will do quite well, but others might not live up to expectations."

The conclusion is that IDaaS is not a slam dunk, it takes careful planning to match needs with the right kinds of identity services. Some enterprises may just find what they have installed is adequate for now or that IDaaS conflicts with some of their security and privacy requirements.

Gartner defines IDaaS as service that delivers the access, administration and intelligence functions of identity and access management.

Kreizman says IDaaS is new to a lot of enterprises and therefore spawning questions - most of which have to do with how to extend currently installed IAM to SaaS applications. He says others with interest have identity functions they want a service to manage, while some understand the services but need insight into the market.  

Another question is around standards. Kreizman continues to preach the need for standards support, which among other benefits avoids lock-in. But standards are more table stakes than feature sets.

"Really the enterprise SaaS buyer does not care so much about standards," he said. "But architects understand that having a standard helps ease adoption of SaaS business services."

Enterprises will be at an advantage if they understand integration challenges when standard support is not available. Current standards such as OAuth 2.0 and OpenID Connect are generating interest among enterprise architects contemplating cloud and mobile additions to their identity strategy.

While Kreizman sorts out a range of vendors, he says the evolution of IDaaS is pointed at Web-based architectures both internal and external.  He says enterprises need to assess vendor viability for the long-term, know where enterprise data is stored and who has access to it, understand the speed and resiliency of bridging services between on-premises and cloud services, and to investigate IDaaS vendor claims that they can broker services to hundreds or even thousands of applications.

Google unveiled on Wednesday a five-year roadmap for stronger consumer authentication tagging smartphones, long-life tokens, and futurist schemes to harden access controls while striking an unapologetic tone toward users who resist the change.

The plan will ultimately change Google's login system by breaking today's pattern that has end-users signing in over and over. In it's place, Google will install strong authentication on a device such as a smartphone when it is setup. 

A complex authentication code will replace the password and allow the device to identify itself, its user, participate in complex authentication flows, and recognize usage patterns that signal attacks.

"We will change sign-in to a once-per-device action and make it higher friction, not lower friction, for all users," said Eric Sachs, group product manager for identity at Google. "We don't mind making it painful for users to sign into their device if they only have to do it once."

Sachs, speaking at the IIW (Internet Identity Workshop) Conference in Mountain View, California, said that Google won't shy away from making transitions difficult on end-users in order to have better security in the long run.

"We now plan to rollout a change to our login system in which we will be much more aggressive," Google wrote in a document outlining the roadmap (with accompanying slide deck).

Sachs said that Google will require all end-users to have two-factor authentication enabled. Today, Google and other websites offer it as an option.

Sachs said that Google will put research and development into specific areas, with the goal of altering today's authentication and authorization patterns. Those areas include authentication at setup, moving beyond the use of so-called bearer tokens that give access to whomever presents them, tapping into smarter hardware, and devising new methods for bootstrapping, device unlocking, and confirmations for "risky actions".

He did not say what Google was budgeting in terms of investment to develop the strategy.

In 2008, Google made a similar five-year authentication plan. The biggest areas of gain were risk-based login challenges, strict two-factor challenges, OpenID style login, and use of the OAuth authentication/authorization protocol so apps outside the browser did not have to ask for passwords.

Google and other vendors have made progress in these areas, and work continues.

Since 2008, Sachs said Google learned that account recovery was its Achilles' heel, that it was hard to get vendors to adopt OAuth, that OpenID migration was taxing, and most important, that "bad guys had evolved to more sophisticated attacks".

Sachs said the ugly truth is that there is a consistent identity for mobile applications, but not for browsers and websites.

Google said that the new five-year plan corrects one particular course it mis-judged in 2008.

"Five years ago, this level of smartphone adoption was not predicted," said Sachs. "We did not see that coming."

As a major part of the new plan, Sachs said that Google will weave smartphones and smart apps through a series of new authentication methods and back-end infrastructure changes.

He said Google likes the mobile model where applications are available once the user accesses the device.

"We plan to take our learnings from Android OS and apply it to Chrome, as well as taking lessons from how identity works for Android apps and apply it to web apps," according to the document outlining Google's plans.

Sachs said the ugly truth is that there is a consistent identity for mobile applications, but not for browsers and websites. "We need more plumbing, " he said.

He used an example of a "God-level OAuth token" that a smartphone could have at the operating system level to be used for authentication actions in the browser. "There is a lot of work to do here," he said.

Google will use smartphones and smart apps installed on devices to support one-time passcodes (OTP), portable OTPs, and new fangled schemes that can challenge users, such as presenting a map so users can verify the location they are logging in from.

Today, there are smart apps that generate OTPs even when a mobile phone does not have connectivity. Ultimately, Google hopes to require logins be performed where the proof of the second factor is much harder, if not impossible, to phish than OTPs.

Google also plans to develop methods that will accommodate users who don't have their phone. One example is where the user can access online a list of their devices that are connected to an account, and answer challenges there.

These sorts of schemes get around one problem with two-factor authentication (2FA), where one user on a shared account can't sign-in because they don't have the device receiving the verification code.

Google's plan relies heavily on smarter hardware, and will tap that hardware to try and make unauthorized access via social engineering, such as phishing, more difficult.

Sachs used the example of a web-based online banking application prompting the user to open up a smartphone version of the same app to click a confirmation button for a transaction, and to validate the authenticity of the web-based site.

Google will explore using technologies such as biometrics and Near Field Communication that lets users identify themselves, and allow one device to verify a new account on a second device. The bootstrapping of the device could go from Android to Chrome or Android to Android devices.

"We would prefer for a user to authorize a new device by having an existing device talk to it via a cryptographic protocol that cannot be phished," Google said in its strategy document.

Sachs said support of non-Google devices is being worked on via Google's participation in the Fast Identity Online (FIDO) Alliance, where it has teamed with hardware security token vendor Yubico on developing a new strong authentication protocol called Universal Second Factor (U2F).

Google said that in the future, it will request this method be used when consumers add an account to a new device. Google joined FIDO in late April.

Google will also explore how users unlock a device connected to their accounts, and how a user "confirms" they are indeed the ones performing "risky actions" on devices connected to their accounts.

Google will also work on back-end infrastructure, specifically public/private key pairs and server cookies stamped with a public key as defined in the IETF's ChannelID draft proposal.

Google does similar things today with its Chrome platform.

"In the future, it is our goal to allow early adopters to require the use of tokens 'tied' to public/private keypairs for any access to your account (from both apps and browsers)," Google wrote in its strategy document.

The ChannelID proposal focuses on how to protect the cookie on the device that proves the user previously signed in and reduces the risk associated with leaked reusable bearer tokens.

Also, Google plans to use more trusted platform modules (TPMs) and OAuth tokens on devices, and in the future, deprecate bearer tokens, which basically gives access to the presenter without challenge.

Simple user names and passwords have been exposed as woeful protection for high-profile accounts, such as those that feed real-time news streams to the public.

Recent hacks of Twitter accounts belonging to Jeep, Burger King, CBS News, and the National Public Radio have brought the issue to light. But it was last week's hack of the Associated Press, and the subsequent stock market plunge, that forced Twitter to put high-profile accounts on alert, in essence, admitting that Twitter's authentication system in its current form is a risk to users.

And to accentuate the point, the Guardian newspaper in the UK was hacked over the weekend by the Syrian Electronic Army, the same group that hacked the AP.

"Anyone with hard dollars riding on such credentials [user name and password] gets what's coming to them," said Ian Glazer. "And that is exactly the funny thing about AP — there were no dollars flowing. But what was flowing was credibility and trust. When trust is flowing, regardless if that flow is actually money or perceived value, you've got to assess risk and protect accordingly."

In this situation, Glazer said that a good assessment should have made the true risks clear to the AP.

Twitter's current authentication system is considered a Level 1 credential in terms of the National Institute of Standards and Technology (NIST) rating because there is no identity verification of the user creating the account. The NIST rating has four levels. A multi-factor credential would be considered a Level 3 credential, which requires proof of possession of a second factor credential. For sake of comparison, Level 4 requires in-person identity proofing.

In addition to Twitter, the AP incident has commanded the attention of the financial and legal community. The FBI, the Securities and Exchange Commission, and the Commodity Futures Trading Commission (CFTC) are investigating the AP hack.

Bart Chilton, a commissioner with the CFTC, is calling for cybersecurity rules for companies that have social media accounts, however those rules would not cover media outlets like the AP.

In a memo sent on Monday, Twitter asked for help in protecting high-profile accounts, asking media members to take certain steps to protect themselves in ways Twitter cannot on its own. "Please help us keep your accounts secure...," the memo began.

Twitter suggested that users create long passwords, of at least 20 characters, and to change their passwords often. It also suggested keeping email accounts secure with strong passwords, not to reuse passwords, and to review Twitter applications authorized to access their accounts.

Twitter also made the highly unusual step of suggesting media members on Twitter use the social networking site on a dedicated computer that is not used for email or web surfing so as to negate malware and phishing.

But no amount of password configuration policy or changing of passwords on short intervals can do much to thwart phishing scams. That strategy is akin to "run for your life".

"The attacks are social engineering, so what is the point of long passwords that are easy to capture," said Mark Diodati, a long-time identity and access management analyst, and now a member of the CTO office at Ping Identity. "The risk level has changed so much for Twitter that it must adapt."

So why is Twitter relying more on pleas for users to change their behavior than on engineering for its authentication system?

The company is said to be exploring two-factor authentication, but there are several issues that may be holding it back. One being that while two-factor authentication is a step up, it is not a cure-all.

While it does improve security, it raises other security and usability issues. Phishing websites can conceivably capture both authentication factors and multi-factor authentication fails with accounts that are shared among users. Sharing most often happens with branded Twitter feeds, like those of media outlets and major companies. Forrester analyst Eve Maler explained the issue earlier this month in a blog post about "consensual impersonation".

Glazer said that Twitter could use geo-location data to calculate the likelihood that a tweeter is authentic. If there is a question, a one-time passcode, the second factor, could be sent to a registered device. But there are major drawbacks.

"False positives can be a total pain here," Glazer said. "Consider that companies outsource access to the Twitter account. What happens when someone on the company's marketing team wants to get a tweet out there and they are in a different city than the PR team? Whose device should get the OTP? What is the user experience like?"

In the interim, Twitter is left to appeal to its users to alter their habits and take unusual steps to protect their accounts. And companies will have to balance their reputations on a thin line knowing they have marginal defenses against hackers who have Twitter in their sites.

Twitter had not responded to ZDNet's questions at the time of writing.

Disclosure: Mark Diodati and John Fontana both work for the same employer.

The methods involved guessing, cracking, or reusing valid credentials, according to the 63-page report, which noted that the authentication results looked familiar from past years. 

Hacking was the most prevalent form of attack and was cited in 52% of breaches. Malware came in at 40%, while Physical, at 35%, rounded out the top three. Authentication-based attacks were the most popular hacking threat action.

"The easiest and least-detectable way to gain unauthorized access is to leverage someone’s (or something’s) authorized access," the report stated. "Why reinvent the wheel? So, it really comes as no surprise that authentication-based attacks factored into about four of every five breaches involving hacking in our 2012 dataset. Nor is it all that surprising that we see this year after year."

But the report did not pull any punches on what an alternative to passwords might mean.

"If we could collectively accept a suitable replacement (for passwords), it would’ve forced about 80% of these attacks to adapt or die. We’ve talked about the shortcomings of passwords for years now, and if it were an easy problem (or the pain caused by password problems was greater), it’d be fixed by now."

The critique seemed as much a realization as a challenge for innovators to come up with a password replacement.

The theft of passwords has been a near epidemic in the past few years.

Zappos, Gawker, Sony, Apple, Fox, CBS, Warner Bros. rootkit.com, LinkedIn, eHarmony, Last.fm are among companies that have felt the sting of stolen credentials along with the hundreds of millions of end-users who owned them.

While the report identifies 40 varieties of hacking, nearly all of the activity is contained in five threat categories, a scenario the report labeled "remarkable." After stolen credentials, the list is made up of: use of backdoor or C2, brute force, unknown and SQLi. "Other" accounts for 2% and the rest of the categories each totaled 1% or less.

"Readers will reasonably ask how attackers steal credentials in order to reuse them to gain unauthorized access. Sometimes users are socially engineered to give them up. Sometimes malware captures them from keystrokes, browser cache, or system files," the report said.

The report noted that more sophisticated espionage cases examined by the study featured combinations of factors, including information theft at rest and in process, combined with credential theft via keylogging malware followed by use of the stolen passwords to access a file server.

"All in all, 2012 reminded us that breaches are a multi-faceted problem, and any one-dimensional attempt to describe them fails to adequately capture their complexity," Dave Hylender, an infosec expert at Verizon, wrote on the corporate blog. "Shaping the many threads into a coherent story that did the dataset justice was probably the most challenging aspect of this year’s report."

The Verizon report highlighted for enterprises two of its 20 Critical Security Controls, originally developed by the Center for Strategic and International Studies and The SANS Institute, that will benefit from strong authentication: Secure Configurations for Network Devices (such as firewalls, routers, and switches), and Controlled Use of Administrative Privileges.

The 2013 data breach report includes 621 confirmed data breaches and more than 47,000 reported security incidents. Over the nine-year range of the study, that tally now exceeds 2,500 data breaches and 1.2 billion compromised records. Verizon, along with 18 organizations from around the world, contributed data and analysis to the report.

Another hack, another vendor placating victims with this simple phrase that ignores the fact that hackers are actually stealing the data they want — password hashes and email addresses.

In reality, the credit card is passé. Protected by a liability structure that, at most, leaves the victim with a $50 hole in their life. The financial industry long ago figured out how to minimize this threat. Hackers know it as a short-term gain.

But the market for personal data has no such liability nets. And the benefits of matching user accounts with re-used passwords can be a long-term fountain of gain as attacks take on many layers and play out over a number of years.

The release today of Verizon's annual data breach survey shows that 76 perent of network intrusions exploited weak or stolen credentials.

The latest use of the "financial information" phrase comes from Wargaming, which operates the online game World of Tanks. The company says that it suffered a "security incident" and even went as far as offering 300 units of game credits to motivate users to change their passwords (thus proving that passwords have value).

"Some password hashes and email addresses may have been affected by the compromise," the company said. But the real danger lies in the next warning that urges users to change their passwords. "If you have been using your old Wargaming ID password on other sites, we strongly recommend that you change those passwords, too."

This is becoming the familiar wording that end-users should heed. Personal information is a stepping-stone to other attacks — typically, on more lucrative sites such as banks or corporate networks.

Last year, Best Buy confirmed that hackers were attacking its online retail site using credentials stolen from other sites. In other words, hackers were re-using passwords, just like their victims were.

A September 2012 survey by fraud detection vendor CSID showed that 61 percent of respondents were re-using passwords across multiple sites.

And hackers who steal those passwords are sharing them. There are numerous online forums dedicated to sharing breached personal information, or for seeking assistance in cracking hashed passwords.

Today's graphics cards have given hackers the power to try billions of combinations per second when cracking passwords. From the results, hackers also build dictionaries that speed future password cracking efforts and help conserve resources for the really tough password hashes.

The bottom line is that your financial data , ie, your credit card, leads down only one path. A path that already has other safeguards in place.

Cracked passwords undermine security on a number of paths that can lead to more lucrative destinations that you or your employer wants to protect.

The patent, filed in September 2011 and made public just this month, would require user authentication before the combination of a camera body and a lens could be used together. No password, no picture taking. The idea is not to prevent theft, but to deter the re-sale of stolen equipment.

With that idea in mind, however, thieves might be less likely to steal a lens in the first place.

Nikon filed patent 2013-61508 in Japan on September 14, 2011. The patent was published nearly two weeks ago, on April 4. The publication of a patent application signals the date it is publicly available to be reviewed and when it becomes "prior art" for other patent applications worldwide. A translation of that patent filing is available via Google Translation.

Details behind the authentication system were hard to come by via the translation. The website Nikon Rumors theorized that the authentication would include a pre-set password and a link between the lens and the camera serial numbers.

There have already been concerns that such an authentication system would make camera-lens rentals difficult, if not impossible. Of course, the solution — sharing the password — would violate a basic tenant of password security.

There is no word about password configuration rules or how one might reset a forgotten password. Or how many people are projected to write the password on a card and drop it in their camera bag.

Mozilla released Beta 2 of Persona, formerly known as BrowserID, this week, including a new feature called Identity Bridge that integrates Persona with emerging identity protocols OAuth and OpenID. Mozilla did not announce support for the newer OpenID Connect.

As part of Beta 2, Mozilla announced it would support Persona-based authentication using Yahoo.com email addresses. Introduced in July 2011, Persona is a browser-based decentralized authentication system that supports the use of email addresses as an authentication credential. It's designed to replace username and password log-ins along with identity architectures that require third-party ID providers to issue credentials.

The Yahoo integration point is Identity Bridge, an open source server developed by Mozilla that speaks the Persona IdP protocol on one side and OpenID or OAuth on the other.

The server, developed under the code name Big Tent, links Persona and Yahoo.com users, allowing them to log on with their Yahoo email address without having to surrender any access to their account. That is different from social networking logins, such as those through Facebook and Twitter, that can expose portions of the users data to the service even though all the end-user wants is authentication.

Mozilla says other major email providers will be on board in the coming months, exposing Mozilla Persona to half of all worldwide Internet users.

"This means a user who’s never used a site before, and never used Persona before, can log in in seconds," said Lloyd Hilaiel, the technical lead for Mozilla Persona, in a Q&A on the Mozilla Web site.

The Persona infrastructure has suffered thus far from lack of support by email providers, who act as identity providers (IdP) — those who validate email addresses as part of the authentication process.

Mozilla has already solved Persona's other major issue, multi-language, and now supports 30 languages.

But Mozilla has changed its tack with the Identity Bridge, allowing email providers to leverage their support for OpenID and OAuth, two identity protocols in use today by providers such as Yahoo and Google. The previous model required email providers to adopt the Persona IdP protocol.

Eventually, Mozilla plans to extract itself from Persona's authentication flow, which happens under the covers,  including cryptographic keys that are passed among the website, the browser and a verification service to validate identity.

"Once we are successful, Mozilla itself will not actually be running a centralized service," said Hilaiel. "Browser vendors will build the client pieces, websites and email providers the server bits, and Mozilla will be almost completely out of the sign-in transaction." Completely, Hilaiel noted, because all flavors of Firefox browsers will have a native implementation of Persona which is the client component of sign-in.

Mozilla also plans to integrate Persona into Firefox OS, the new Mozilla mobile OS set for release this summer. It also will be added to desktop Firefox.

"In the coming months, we’re planning for improved browser support, interaction refinements, and performance improvements that I think are really going to tip the scales," said Hilaiel.

Do users care if Facebook becomes the doorman to their device? Or do they want to preserve that duty for the lock-screen they know is benign?

No longer just another mobile app, Home widens the area of digital life Facebook can see, collect and track. Home improves the so-called "frictionless" collection of data, which should raise questions, if not red flags.

Home appears to be a better way for Facebook to gather information about the user, which certainly provides more resources for what fills Facebook's balance sheet: serving up ads, especially in a point-in-time way. In fact, investors liked it, bidding up Facebook shares 3% the day Home was announced.

Will Facebook unduly exploit these new opportunities? Will users trust them not to? Will regulators be stopping by for a check-up?

Facebook is the poster child for an ongoing, worldwide privacy debate, and Home is more fuel for a fire burning across tech pubs, privacy and user groups, and world governments.

To deflect fears and some recent scolding critiques of Home, Facebook's Michael Richter, chief privacy officer for product, and Erin Egan, chief privacy officer for policy, published a Q&A last Friday about Home and privacy.

They addressed location and data collection, along with the amount of visibility Facebook would have in app use and a user's ongoing device activity. The answers in their Q&A look like more of the same genre of privacy concerns some users — and many governments — have had all along with Facebok.

On April 5, Egan was also the guest on Facebook's second installment of its "Ask the CPO" video segment, in which she answered questions for nearly 30 minutes on data collection, filters, bugs and fake accounts. She also received some touching feedback from her dad via her personal Facebook page — which ironically seems carefully devoid of personal information.

The jobs occupied by Richter and Egan, both lawyers, were created in Nov. 2011 in the wake of a privacy complaint settlement between the Federal Trade Commission and the social networking giant. So the pair know the privacy score.

But the playing field doesn't seem to be changing much. Home looks to be more of the same types of tracking and privacy pitfalls that have previously invited intense scrutiny and legal settlements.

The major difference between Home and the traditional Facebook app seems to be the option to have an "always-on" Facebook. One that is organizing, tracking and culling your activity and providing that plugged-in social feeling that is the draw of the social network; a draw for real-time retail offers and location knowledge on friends as much as it is for "socializing."

Home collects "Likes," comments and messages that you send, but it also keeps a list of apps you have in Home's app launcher. This app launcher can see what you launch, but not what you did, unless users have already integrated those apps with Facebook.

Home pre-installed on devices can display system notifications, and Facebook collects which app is generating them (but not the content of the app). This information is cleaned out every 90 days, according to Facebook.

Location is used in the same way as it is in the mobile Facebook app, and users can toggle off location via their device settings.

The data that Facebook receives is covered by Facebook's current data usage policy, a document that is at best a moving target.

But privacy groups are concerned.

Electronic Frontier Foundation activist Parker Higgins told Digital Trends, "They will get information about who you're calling, how often, and how long you're speaking to them. That's a lot of information, and combined with the rest of your Facebook communications, (it) could paint a very clear picture of your private life."

I salute those who will pilot Facebook Home — they are the canaries in a coal mine that has already produced noxious fumes. We'll check in with you when (and if) you leave the mine with your privacy intact.

Maler's prediction comes in the wake of breaches over the past 14 months that are exposing the underlying weakness of passwords.

"With the greater experience of banks starting to introduce [two-factor authentication] in a minimal way, and the greater experience of password breaches forcing people to undergo some pain, I think we are going to experience a sea change in strong authentication that consumer users will encounter for ordinary online interactions," said Maler.

"I see it the same way social logins became a federated single sign-on pattern we thought consumers would never go for," she said. In that case, many consumers have accepted using their Facebook, Twitter, or other credential to log in to other sites, for example games connected to Facebook or analytic applications connected with Twitter. Some enterprises have also adopted social logins as a low-level credential for initially authenticating users, most notably Bechtel and Boeing.

Maler acknowledged that adoption of two-factor authentication is not burning through the end-user population.

Sites such as Apple, Evernote, Amazon Web Services, PayPal, and Dropbox have recently made news by instituting a two-factor authentication option for their users. Sites like Google and Yahoo have offered it for some time. Adoption numbers, generally, have been perceived to be low, given usability issues and end-user indifference to security.

"The US market is less tolerant of that kind of friction than a lot of the other markets around the world where it is par for the course," said Maler.

Google uses a technique it calls two-step verification (2sv), a credential followed by a six-digit verification code delivered by various means. Publicly, Google will only say it has been adopted by millions of its users (PDF). But even 10 million users would be a single-digit percentage of users across its apps and social sites. The company claims its deployment is among the largest two-factor authentication deployments in the world.

Maler doesn't suggest that two-factor authentication is the solution to all authentication problems or should be used in all cases, but she said that recent real-world breaches and process for password resets show that these exercises are not the most pleasant experiences.

"So I am sticking my neck out and making a prediction for more tolerance of adding a factor here and there, at least at some times — say, when you are not on a trusted device," she said.

But she does think that while there will be some security gains, there will also be some conveniences lost — most notably something she calls "consensual impersonation". (More on her blog post).

Maler said that is when you share your credentials with another person, so that person can do stuff in your account as though they were you.

Maler admit some people are beginning to see these password breaches like a hard-drive crash — it happens. End users and even security pros can get desensitized.

"I think the turning point will happen when we see someone turn on two-factor unilaterally to protect some resource," she said. "Perhaps it's a bank at first where there is obvious transaction value."

Updated at 4.37 PDT, April 3, 2013

The National Program Office (NPO) of the National Strategy for Trusted Identities in Cyberspace (NSTIC) is working with the Office of Management and Budget (OMB) to fund at least two projects that would split up to $4 million and be aimed at developing verification systems to support citizen access to any number of services or agencies. A call for project proposals will go out in the next 45 days.

The projects eventually selected will be aimed at showcasing integration with the NSTIC "identity ecosystem". Selection will favor projects that "demonstrate the potential for interoperability of an identity credential from a private identity provider with both state and federal programs".

The idea is that a secure credential will not only facilitate use of services, but stimulate efforts to bring more services online and to make all services more secure. The hope is that the secure credential will integrate across agencies, speed up activation of services, and help track that the proper payments make it to the correct citizens.

This is the second round of pilot programs NSTIC has launched this year. The earlier round, which drew 70 respondents, was a general call for plans to help build out NSTIC's proposed identity ecosystem.

In September 2012, the initial set of NSTIC pilot grants awarded $9 million to five projects. The projects include a program within the Commonwealth of Virginia for creating a shared authentication across state agencies.

These new specific state and local government pilots will be funded by the OMB's Partnership Fund for Program Integrity Innovation, which is a federal program established by Congress in 2010.

The fund enables federal, state, local, and tribal agencies to pilot ideas for improving assistance programs in a controlled environment. NSTIC thinks state governments add value to its identity ecosystem strategy not only as credential providers, so-called identity providers (IdP), but also, more importantly, as relying parties.

Relying parties are those sites that agree to trust credentials issued by an IdP. To date, it has been difficult finding sites and organizations willing to be relying parties.

There are other major hurdles involved in injecting identity into public benefits programs, including privacy, data storage, and high costs.

As part of the NSTIC-OMB announcement, the pair gave these examples of issues that need to be addressed in any state government program:

• Concerns about applicant and beneficiary privacy, such as concerns that identity proofing techniques may be too intrusive, as well as concerns that data collected will be inappropriately shared with other programs or parties.

• Difficulties conducting identity proofing and ensuring that commonly used identity proofing approaches can adequately cover the beneficiary population.

• High per-user costs of many identity solutions, some of which even exceed the budgets of agencies, particularly when the solution would only be used in a single service, as well as challenges demonstrating the ability to show how costs could be recovered.

• Security challenges faced by some states in demonstrating an ability to securely store sensitive information.

NSTIC hopes that the pilot program will produce trusted online credentials that meet its four guiding principles — that identity solutions be privacy enhancing and voluntary; secure and resilient; interoperable; and cost effective and easy to use.

In his look at the top seven human risks associated with computing, Lance Spitzner, director of the "Securing The Human" program at the SANS Institute, listed password reuse as number two on the list.

"With passwords, the surprise we found was not password complexity, but was people using the same password for several different accounts," said Spitzner. "Once the bad guys got it, it was very simple to move around [the network]."

Online password reuse also makes it easy for hackers to use one stolen credential at many sites, which is what happened to Best Buy customers last year.

The reuse issue is the reason hacked companies tell people to change their passwords not only on the hacked site, but on other sites they visit. This is especially true now that hackers routinely post stolen user names and passwords online, which can mean that multiple accounts get compromised months or even years beyond the initial password theft.

Spitzner said risk happens as soon as humans touch keyboards.

"People are no more than another OS — the human OS — and we have done nothing to secure this OS," he said. "All the services are on by default and this OS is happy to share."

But Spitzner was not calling people out as "stupid or un-trainable"; he said the issue is that we've done nothing to change our behavior.

"People underestimate risk, they go to websites, they download files, they insert USB sticks," he said.

His list of the seven top human risks are:

• Phishing

• Password reuse across sites

• Not patching or updating devices (BYOD)

• Indiscriminate use of mobile media

• Sharing too much personal/work information on social networking sites

• Lack of situational awareness

• Accidental disclosure/loss of information.

Spitzner said that most organizations suffer from a subset of this list. In his position at SANS, he instructs companies to do a risk analysis and then focus on their top risks.

"Don't overwhelm people with all of these," he said. "Teach the fewest topics that have the greatest impact."

One technique Spitzner suggested is creating training modules that can be reused over time to keep the training fresh in people's minds. And create content people can consume on their own time, he said.

"A key thing I have learned is not what you teach, but how," he said. "Don't focus on how awareness affects the corporation, focus on how it affects people at home. Then security becomes part of their DNA."

To listen to Spitzner's entire webcast, Mitigating the top Human Risks, click here.

The DMV has entered the implementation stage of a multi-year identity management plan that starts with sharing authentication data across agencies so that citizens can log in once and access services across many agencies.

The system allows those users to gain qualifying attributes along the way, such as validation of enrollment, depending on the agencies they visit and the services they are seeking.

The goal is to improve service, reduce fraud, and save enough money to cover the cost of the improvements and more.

With the DMV, the Commonwealth is starting where a deep well of identity data has already been collected, vetted, and stored, including core attributes such as name, date of birth, social security number, and gender.

"We look at the data that is in the DMVs across all states," said Dave Burhop, deputy commissioner and CIO of the Virginia DMV. "It is really golden; a golden record. And it is those data attributes, which are really trusted in the physical credential [drivers license], that we want to use in the virtual world."

The plan centers around something called the Commonwealth Authentication Service (CAS). That is the anchor for providing identity attributes on an enterprise scale, and for supplying an ID service to other Commonwealth agencies so they can stop issuing credentials and instead focus on their services.

At its full implementation, CAS will offer NIST Level of Assurance 1-3 compliant credentials that are interoperable with Level 4. These industry-defined levels describe how the identity was registered, how the user authenticates, and if the credential meets the needs of the Web site considering the authentication request.

Also, CAS will support the enterprise identity service, identity proofing, multifactor authentication, and identity binding.

The DMV's ID odyssey started about eight years ago with a whitepaper on the status of the state's identity and access management capabilities, and how single sign-on could benefit citizens dealing with the government.

But the business case wasn't crystal clear and the idea failed to win endorsements.

The idea was revived with the Federal Affordable Care Act in 2010, and then energized the next year with the introduction of the National Strategy for Trusted Identities in Cyberspace (NSTIC).

In fact, the Virginia DMV efforts are a focal point of a $1.6 million NSTIC grant given to the American Association of Motor Vehicle Administrators (AAMVA) in September 2012 to work on a pilot.

In addition, the program is targeted at gluing together state agencies, along with the Virginia Personal Identity Verification program for federal employees and contractors. And in alignment with the standards-based principles of NSTIC, the program will help support a trust framework with AAMVA, integration with other states via the State Identity and Credential Access Management (SICAM) architecture, and with agencies in Canada.

"We now have a business problem and a business case," said Burhop.

Today, citizens who get services from the Virginia Department of Social Services (DSS) can go through CAS to self-enroll and create accounts, a Level 1 credential. The DMV is currently installing identity vetting and binding capabilities that validate citizen IDs and the services available to those citizens, and allow bi-directional sharing of information (Level 2). The next move is to multi-factor authentication support for Level 3 credentials.

While DSS is the first online, other agencies will follow shortly.

"What we are doing is taking the burden of identity management off the agency's plate," said Michael Farnsworth, the CAS project manager. "[That burden] is someone having to understand the complexity of issuing, maintaining, and revoking a credential. This allows us to do everything in a more streamlined fashion."

Through the process, Farnsworth said that one focus has been on ensuring this project does not come off as a "Big Brother Syndrome".

"We built privacy in from the start," he said.

And, Farnsworth added, the benefit for the industry is that other governments or companies trying similar feats of single sign-on, cross-domain trust and integration are not alone.

"And the second thing is proving that it can actually be done," said Farnsworth. "We have had great success."

Just last week, Evernote became the latest service provider to commit to offering a two-factor authentication option to its end-users. A hack of the company's systems forced it to reset 50 million passwords.

Already, Facebook, Google, Dropbox, Amazon, Microsoft, PayPal, and Yahoo are committed to two-factor authentication options for end-users.

Twitter, which was hacked last month and lost 250,000 passwords, is under pressure to join the group and offer two-factor authentication, which is the addition to the common password of a second piece of identification in order to gain access to computer resources.

There is no question that forms of two-factor authentication can increase security around end-user logins, but by itself, a two-factor system is not a universal remedy.

"This is an incremental win, and it is generally good that [this interest in two-factor authentication] is happening," said Gunnar Peterson, managing principal at Arctec Group. "Initial authentication needs to get stronger, but for sure, it is not a panacea."

Peterson pointed that out two-factor is not new. The security technique is not in question, but historically, users often became burdened with its extra steps, and lost or forgot hardware tokens, which drove abandonments or creative workarounds.

Many providers, such as Evernote and Google, offer two-factor only as an option, not a mandate. So despite all their efforts, the tightening of the security screw is left to the proverbial weakest link in the chain, the end-user.

But Peterson said that it's a positive development that service providers are getting creative in using techniques such as SMS and smartphones, devices that users want to carry and that help two-factor scale.

"It's nice to see that some of these hurdles are being cleared," he said. But today, there is a lot of "silver bullet frenzy" around the topic.

Jeff Stollman, principal at Secure Identity Computing, said the details around two-factor authentication are not always clearly explained, and that leads to poor decisions.

"Deployment is often pushed by regulators, but how it should be done is not defined," he said.

In-band factors, such as answering security questions, are notably weak, given that they are prone to man-in-the-middle attacks. And answers to the personal questions they ask often can easily be discovered online or in social media accounts.

"Two factor needs to be out-of-band; either a token or a mobile phone," said Stollman. On a scale of one to 10, if authentication is a one, out-of-band two-factor can increase security to a three or a four, he said.

With these methods, users are sent a code to enter to complete login or they acquire a token, a bit of data to prove who they are, that is presented to complete authentication.

Of course, mobile devices are a blessing and a curse. They diminish out-of-band methods, given that users may be logging into services via their phone, therefore, negating the second factor

"The smartphone has the ability to simultaneously weaken two-factor because you are going to be using Facebook, Google, Twitter from that device, and is that really another factor if you are pushing your credential back through it," said Peterson. "Just because that happens on another channel, is that really as secure as something like a smart card."

The two-factor movement is also being pushed by the fact that companies don't have to dramatically change or update infrastructure to enable the technology.

"Evernote can roll changes out without re-doing its entire site or re-doing its entire API," said Peterson. "It's an isolated change that offers a lot of security for a little bit of work, and that is always a good thing."

But there are other factors to consider, especially around infrastructure for service providers, such as how accurate is their initial identity proofing on the front-end. Also, what have they changed in their backend plumbing to address any session management problems, data leakage, SSL implementation errors, or inaccurate authorization data that could lead to a host of vulnerabilities.

Peterson likened it to installing a bright new shiny sink and connecting it to 110-year-old plumbing.

"I would prefer people target the structural and strategic problems as well," he says.

He mentioned techniques such as risk-adaptive access control that recognize use and behavior, along with fraud and attack models that drive intelligence into authentication and authorization tools.

And he said device features such as GPS or geo-location could be resources to help improve authentication from the client side. Even techniques like shaking the phone or speech recognition could provide an identifying factor.

To wit, two-factor hasn't proven that it is excused from human error or human manipulation. Researchers found holes in Google's two-factor system based on a number of integrations gone wrong across the backend of its services. And the infamous foundation shaker in 2011 — the RSA Secure ID hack — began with phishing on the client side, and ended with previously unimaginable exploits on the backend.

"The way security works is we raise the bar and the hackers try to jump over it," said Peterson.

"Does two-factor raise the bar? It raises it some percent, but do I think that hackers will not be able to clear that bar? No, I think they will still be able to clear it."

But it doesn't mean that two-factor authentication won't push the ball forward.

The $85 billion in cuts triggered by the sequester, which went into effect March 1, hit the National Institute of Standards and Technology (NIST) to the tune of $38 million. NSTIC is run by NIST, which is under the control of the Commerce Department.

The Commerce Department official said, "The reductions required by sequestration will adversely affect all NIST cybersecurity related efforts through cutbacks on travel, contracts, grants, and other operational expenses. NIST currently does not anticipate eliminating or reducing NSTIC pilots or programs."

In November 2011, NSTIC, which was mandated by President Obama in April 2011, received $16.5 million in federal funding. In September of last year, NIST committed $9 million to five pilot programs marking a major milestone in the then 17-month-old NSTIC initiative.

The pilots address issues such as secure transactions, privacy, ecommerce, and federation. The five were selected from 180 applications submitted from higher education, hospitals, non-profits, commercial businesses, and governments.

Last month, NSTIC set in motion another round of pilot projects by soliciting applications for ideas. The funding amount for the new pilot awards is not yet set, according to the NSTIC National Program Office, which said full implementation of the program and issuance of awards is subject to the availability of funds in the 2013 budget.

NSTIC pilots are meant to cultivate ideas that will anchor an online "identity ecosystem" to be built and managed by the private sector. The idea is that the programs will build and test technology, identity models, and frameworks to support a standards-based identity infrastructure.

NSTIC is not about a national ID card, but about an identity network to help stimulate and secure online interaction and transactions. It is analogous to the ATM banking system, where credentials issued by private entities (banks) are valid among multiple systems

US District Judge Edward J Davila said that the plaintiffs failed to show a "casual connection" between the harm they allegedly suffered and LinkedIn's alleged failure to follow industry standards and its own promise to encrypt user password data.

In dismissing the case, the judge said that the plaintiffs admitted they had never actually read LinkedIn's privacy policy and, therefore, could not claim the company misrepresented itself.

In June of last year, LinkedIn reported that Russian hackers had stolen nearly 6.5 million passwords from its website. With more than 150 million users, the password theft involved less than 5 percent of LinkedIn's user base.

Shortly thereafter, Katie Szpyrka, a registered LinkedIn account holder since 2010, filed suit in United State District Court in the Northern District of California, demanding a jury trial on grounds including breach of contract and negligence. The suit claimed $5 million in damages.

The Illinois woman, who paid $26.95 per month for a premium LinkedIn account, said LinkedIn's privacy policy promises users that all the information they provide will be protected with industry standards and technology.

She said that LinkedIn failed to comply with basic industry standards by using a weak encryption format. The company had encrypted passwords with a SHA-1 algorithm, but according to experts, the fact that the company neglected to "salt" the hash weakened the security.

The suit also referenced preliminary reports that said hackers used a common SQL injection attack, which lets them access databases via a website. The suit cited National Institute of Standards and Technology checklists as common guidance for avoiding SQL injection attacks.

A second LinkedIn user later joined Szpyrka in the suit, and the two became the representatives in a class-action suit encompassing all LinkedIn users affected by the breach.

But the judge ultimately dismissed the case because LinkedIn's User Agreement and Privacy Policy is the same for both free and paid premium accounts.

In his order to dismiss the case, Judge Davila wrote: "Any alleged promise LinkedIn made to paying premium account holders regarding security protocols was also made to non-paying members. Thus, when a member purchases a premium account upgrade, the bargain is not for a particular level of security, but actually for the advanced networking tools and capabilities to facilitate enhanced usage of LinkedIn's services. The FAC [First Amended Consolidated Complaint] does not sufficiently demonstrate that included in Plaintiffs' bargain for premium membership was the promise of a particular (or greater) level of security that was not part of the free membership."

The panelists, participating in the "Emerging Conflicts in the Identity Space" session, urged enterprises to get proactive and tell vendors just what they need, to define online interactions as identity interactions, to demand standards, and to rethink traditional IAM perimeters.

The first matter of business was to reiterate that the password has outlived its usefulness.

"People know password re-use is a problem, so we actually have to get rid of passwords because there are too many attack vectors," Michael Barrett, PayPal's chief security information officer, told the packed session.

"A big shift we see is people realizing there is a password problem," said Eric Sachs, group product manager for identity at Google, who once again encouraged websites to get out of the password issuing business.

The thinking is that authentication needs to mature to a point where attributes from one or more providers are combined to create an identity that fits the user's context, connecting to a bank account as opposed to signing into a music service.

"Today, we lump identity into one bucket, but authentication is not an individual event; it goes across transactions," said Chuck Mortimore, vice president for product management at Salesforce.com. "There are scenarios where you want to bring attributes into a transaction, not a whole ID. You can 'add' to the primary authenticator."

Barrett said authentication is a "gradient and has properties". And he said authentication could use some risk-based controls. But he cautioned that "killing passwords will take time".

The panel also pondered questions around which entities might scale to provide millions of identities, how those identities integrate across domains, who accepts liability, and what is a reasonable timeframe for it all to change.

"We have a decade of work to do here," said Sachs.

Panelists agreed that the "finish" line could be that far away, but the audience was clearly itching for evolution measured in a year or two.

"The industry is a single-cell organism today with pair-wise and bi-lateral federation," said Andre Durand, CEO of Ping Identity. "The [new] multi-cell organism will require a lot of coordination in the ecosystem. Coordination of trusted third parties to broker connections at scale."

Durand said that the past 10 years were about building the basics — mostly protocols — to define use cases. "We are approaching an interesting phase, where those basics are going to be put together in different ways very rapidly. I think we are approaching an explosive moment."

To Durand's point, Mortimore challenged an audience member's notion of a technology problem. "Enterprises are working together today on top of SAML, but the conversation needs to mature," said Mortimore.

SAML is the Security Assertion Markup Language, which was standardized in 2001.

He suggested looking at examples such as the National Strategy for Trusted Identities in Cyberspace (NSTIC), and he said legal and trust framework discussions need to advance.

"People are not quite willing to take liability for doing a bad job. That needs to shift," said Durand.

He also noted that traditional network perimeters need to fall.

"Everything is crossing boundaries and identity has to follow across those boundaries," said Durand. "Third-party identifiers need to be trusted by the organization."

Mortimore said identity needs to take over as the perimeter falls, "but our corporate identities are behind our perimeters and not ready for the cloud".

But he sees the transition to services starting to happen. "The shift comes first to web and cloud apps," he said. Durand added that portable identities, valid outside the issuers' network, are needed to fuel outsourcing.

Barrett gave a historical context to the discussion and admitted the explosion in consumer identity was not originally on the radar.

"[13 years ago with the Liberty Alliance] we realized identity was a hard problem, but what we missed was the value of consumers really managing and driving their own alliances," said Barrett. "SAML 2.0 is still in use within enterprises and between them for a bunch of good reasons. Those use cases are solved, but consumer ID is much more difficult."

Barrett, who headed the Liberty Alliance in the day, urged session attendees to explore a new authentication standard effort he is involved in, called the FIDO Alliance.

Disclosure: I work for the same company as Andre Durand, CEO of Ping Identity.

Corviello, who delivered the opening keynote at the annual RSA Conference, which opened Tuesday, said big data, converging with social, mobile, and cloud, will provide a wealth of information that can be sliced, diced, and analyzed to fuel intelligence-based security systems.

He said an "intelligence-driven model can be made future proof. It evolves and learns from change". He added that such a system can detect anomalies and respond to them.

The model is supported by information gleaned from data that measured a zettabyte in 2012. IDC said that only 1 percent of that cache of information was actually analyzed. Going forward, Coviello said, that dataset is mined, and provides the difference that puts the white hats in front of the black hats.

That switch in advantage won't just happen, however; organizations need to pool data on security breaches to devise new ways to protect resources and create risk-based controls.

He cited recent hacks that hit Apple, Facebook, and Twitter and hoped that those companies might share their data in order to better understand what happened and how to defend against it in the future.

He said that those disruptive attacks are the path to more destructive attacks.

"The attack surface is expanding and there are new risks," he said. Big data is about sifting and analyzing. "It has the potential to transform our lives for the better. Business will become more efficient and productive."

But even as Coviello began to tilt toward wishful visionary, he balanced himself: "Having the right level of understanding is key, because if we, as an industry, overhype this situation, organizations won't take the necessary measures to prepare themselves.

"Our cause is new, we must act anew," he said.

He said big data-based controls will be smart, self-learning, will inform and be informed, they will talk to security tools and governance, risk, and compliance systems.

"Intelligent models can only succeed with better learning," Coviello said.

The goal is a shared data architecture, a single architecture to capture, analyze, and share data.

Coviello said point-to-point products can migrate to big data controls that will lead to true defense in depth.

Despite automation to pull together data and tools, Coviello said, security experts still need to believe in their own good judgment and the responsibility of their roles.

"Big data will transform security, but it must start with us," he told attendees.

The top three threats this year are data breaches, data loss and account hijacking. In 2010, the top three were abuse of cloud services, insecure interfaces and APIs, and malicious insiders. Those three are still on the list but have fallen (7, 4, 6, respectively) in 2013.

At its annual Summit at the RSA Conference, CSA released the list compiled by its Top Threats Working Group, which seeks to aid companies with their risk-management decisions.

The CSA Top Threats Working Group, which conducted a cloud threats survey with a grop of industry experts, is led by Rafal Los, senior security strategist for HP Software, Dave Shackleford, founder and principal consultant at Voodoo Security, and Bryan Sullivan, senior security program manager at Microsoft.

Here are 2013's nine top threats for cloud computing:

 1. Data Breaches

We all know data breaches like an annoying old acquaintance, but cloud computing brings with it new paths to aggravation. Here's one that's not so nice to contemplate. A poorly designed multitenant cloud service database allows an attacker not only entrance into one account, but to every other account associated with the service.
2010 ranking: 5

2. Data Loss

This is epic hack story where all your data is either stolen or wiped from your devices. Ouch. An accidental deletion or act of God (think Hurricane Sandy) could lead to permanent data loss unless the provider has backup (don't assume they do or be sure to ask just how they do it). Also, if an enterprise encrypts data before uploading it to the cloud, they better protect the encryption keys or the data is as good as gone.
2010 ranking: 5

3. Account or Service Traffic Hijacking

Enterprises know the drill, hackers social engineer credentials out of innocent end-users with phishing, fraud or by exploiting software vulnerabilities. The credentials typically offer access not to one but to many accounts because end-users re-use those passwords on multiple sites. For providers, the cloud adds a twist if stolen credentials can be used to eavesdrop, manipulate data, return bogus information, or redirect users of the service to fraudulent sites. Not only can attackers pull those tricks, the can use your reputation as another tool for social engineering user behavior.
2010 ranking: 6

4. Insecure interfaces and APIs

APIs allow any number of interactions in the cloud - provisioning, management and monitoring to name a few - and they can be a weak link in overall security. APIs are controlled via policy, and developers must take care to design in quality and security that can't be circumvented. And the problem gets more complex as APIs are layered across domains.
2010 ranking: 2

5. Denial of Service

Knocking out a cloud service is one method of attack that robs users of access to their resources and data, and introduces a latency that can mean death to online services. Other forms of attack, such as the asymmetric application-level DoS attacks can exploit weaknesses in web servers, databases and other cloud resources to target and take down a specific application without gobbling up a lot of resources.
2010 ranking: NA

6. Malicious insiders

The inside job is a reality, the risk is something that every organization must weigh. It's different across the board, but when it hits , it hurts. Wtih IaaS, PaaS and SaaS, the insiders in the cloud come along with the providers you hire, but you have little idea who they are and what axes they have to grind. CSA says systems that depend solely on the cloud service provider for security are at the greatest risk. 
2010 ranking: 3

7. Abuse of cloud services

Cloud services democratize computing power, it is available to anyone, even those who seek resources for cracking your encryption, launching a denial of service attack (see No 5), serving server malware or distributing pirated software.
2010 ranking: 1

8. Insufficient due diligence

The benefits of the cloud can be sweet music to some organizations - cost reductions, efficiencies, better security - but the risks are there for those who don't do enough to assess the risks. Not understanding cloud service environments; application or services pushed to the cloud; operational responsibilities such as incident response, encryption, security monitoring can lead to creating unknown levels of risk in ways not previously considered behind corporate walls.
2010 ranking: 7

9. Share technology vulnerabilities

All delivery models show these characteristics brought on by sharing infrastructure, platforms and applications. A defensive in-depth strategy is recommended by CSA and should include compute, storage, network, application and user security enforcement along with monitoring for IaaS, PaaS or SaaS. One fault can be felt across a service provider's cloud.
2010 ranking: 4

and includes full explanations and links to information on controls and other details on methods to combat these nine gotchas for 2013.

Do you have a No. 10 to round out the list? What is another top threat of cloud computing?

The social media site was stealthily admonishing users for their poor password habits (easy to guess, too short, poorly configured, re-used) in a beat-your-head-against-a-wall lecture that end-users have heard and ignored for decades.

And the irony was rich.

Late last month, Twitter itself was the victim of a hack showing its inability to properly configure its own protections for its sensitive data. The result was upwards of 250,000 Twitter users having to reset their passwords.

Were Burger King and Jeep the victim of their own poor password policies?  Or were passwords stolen from Twitter or any number of other  repositories hacked in the past 24 months or so (LinkedIn, Facebook, Apple, Zappos, Sony) the source of the passwords? Passwords that perhaps were re-used on multiple sites by end-users - one of the no-no’s of Twitter's (and others) rant on good password hygiene.

But as you look at the dynamics of the hacks, and where blame might lie, it is clear from either side that they're really in this together. And they're starting to work on it.

Today, Twitter announced it has been using a technology called "Domain-based Message Authentication, Reporting & Conformance." DMARC is targeted at reducing the number of phishing emails looking to trick users out of their account passwords. DMARC standardizes how email receivers perform email authentication.

DMARC was created by a group of organizations that includes Bank of America, Fidelity, JPMorgan Chase, Comcast, PayPal, Facebook, LinkedIn, and email providers AOL, Microsoft, Yahoo, and Google.

"DMARC gives email providers a way to block email from forged domains popping up in inboxes. And that in turn lessens the risk users face of mistakenly giving away personal information," wrote Twitter's Postmaster Josh Aberant in a blog post today.

That's one major effort to reduce password theft.

Earlier this week, Google updated its war on account hijackers, those who steal (or buy on the black market) credentials of email accounts they can use for sending spam to the account holder's contacts.

"We’ve seen a single attacker using stolen passwords attempt to break into a million different Google accounts every single day, for weeks at a time. A different gang attempted sign-ins at a rate of more than 100 accounts per second," Mike Hearn, a Google security engineer, wrote in a blog post.

So Google instituted a risk analysis system that kicks in when users sign on to their email accounts. The system has some 120 variables. Suspicious looking log-ins, say from the other side of the world from where the user normally resides, are met with some inquiring challenges - say a phone number or secondary email associated with the account.

Google says the results were a reduction in the number of compromised accounts by 99.7% since the peak of hijacking attempts in 2011.

And like Twitter, Google asked end-users to do their part in protecting their accounts with strong and unique passwords, two-step verification, and new recovery options such as secondary email addresses.

In addition, continuing efforts such as the National Strategy for Trusted Identities in Cyberspace (NSTIC), which is attempting to build an identity layer for the Internet - and standards work around authentication, authorization that will benefit cloud and mobile services - all play a part.

Next week at the annual RSA Conference, identity will cut a wide swath with a number of panels and speakers discussing what is possible, and vendors showing how to build it.

Some will argue this federated identity "ecosystem" is just one credential and a single point of failure. But the target is a better-crafted credential and a better-protected system of connections that includes tokens and trust relationships. A set of identity providers, who have liability and revenue at stake, and a revocation/de-provisioning system that can cascade across domains.

None of these actions, words of advice, or product suites taken individually is a silver bullet, but collectively there might just be a silver lining.

Those themes and topics will take center stage at next week's RSA Conference, when the CSA, which now has nearly 45,000 members, hosts its annual Summit on the first day of the conference.

"Our theme is the growing maturity of the cloud, the growth in lessons learned and of enterprise adoption of cloud," said Jim Reavis, executive director of CSA, which got its start at the RSA Conference in 2009.

Mark Weatherford, deputy undersecretary for cybersecurity at the Department of Homeland Security will examine national security and the cloud in his opening keynote. His appearance comes on the heels of President Obama's executive order on cybersecruity.

The discussion represents a relatively new topic area for CSA.

"The focus is not from the top down," says Reavis. "We are starting at the grass roots, what are people seeing out there at a time when there is so much adoption of mobility and cloud services. We are interested in understanding the unintended national security issues that arise."

Reavis says CSA also is in the process of developing its Trusted Cloud Initiative (TCI) version 2, which has evolved into an overall enterprise architecture view for adopting multiple clouds in a hybrid model. He said large enterprises are using TCI as a blue print to adopt cloud services.

"We thought TCI would be focused on identity, but it covers a lot of other areas," said Reavis. "It is an identity-driven architecture. Identity drives so much around an enterprise being able to adopt cloud, but it doesn't stop there. You have business architecture, ITIL service management, SLAs, it's all part of the cloud experience."

And he says enterprises are realizing their directory assets are strategic and need to be leveraged in the cloud.

"When we talk to innovators in Silicon Valley, they say it is table stakes that they have a partnership with an identity company or that they build enough of the enabling technology to federate," said Reavis. "They have to think about the cloud services they are providing and not just fitting in, but taking advantage of leading edge practices with identity management."

Another forcing function is mobile. The CSA Summit will feature a panel entitled "Mobile Security Insights" with experts from Vordel, Fiberlink, Veracode and Ping Identity (disclaimer: my employer). The discussion will include a look at security innovations around such things as APIs and standards such as OAtuh.

A second panel, "Managing Enterprise Global Security in an era of Hybrid Cloud and Smart Mobile” will feature experts from CSA, CA, NetIQ, Qualys and Zscaler that will look at key risks, legal issues, compliance and emerging security architectures.

"We see enterprises struggling with mobile polices that they think are most realistic in terms of achieving compromise between protecting the enterprise and enabling the workforce," said Reavis. CSA has developed guidance such as essential features of mobile device management and templates for BYOD policies.

"We are seeing companies that are forcing VPN usage to inspect traffic but that is not sustainable. We are at a fairly primitive level of implementation and of understanding what are the best ways to protect mobile in the enterprise."

And Reavis says it only gets more complicated when you view mobile devices as the first wave of defining an Internet of Things, which will be another topic at the CSA Summit.

CSA also plans to highlight its evolution around the globe, including plans to expand its reach into Central America. " You see government's playing a role in cloud adoption with their cloud strategies just like we saw with Vivek Kundra (former U.S. CIO) a few years back," said Reavis.

CSA also plans to announce a Provider Certification Program coming this year and lay out plans for a Legal Information Center to provide information, as opposed to policy or advocacy, on laws and legal issues around the globe that impact cloud adoption.

The Summit will wrap up with a talk by James Robinson III, co-founder and general partner at RRE Ventures, on “Tech Innovation, Macroeconomics and the Future Security Mandate." Robinson, a well-known figure on Wall Street the former CEO of American Express, will focus on future technology innovation, corporate utilization of IT and global economic trends that will impact security professionals.