[Log In] []

Exploring the science and magic of Identity and Access Management

There is a beauty and clarity that comes from simplicity that we sometimes do not appreciate in our thirst for intricate solutions. — Dieter F. Uchtdorf

Thursday, October 23, 2014

Identity Trend 10: Internet Identity

Identity
Author: Mark Dixon
Tuesday, October 27, 2009
5:39 pm

Buffer

This post is the tenth in a series of eleven posts I am writing about key trends in the Identity Management industry.

Much of the traditional Identity Management market grew up meeting needs of Identity Management for enterprises, but, of course, Identity plays a large, essential role in the external Internet as well.  Modern enterprises are increasingly interconnected using the external Internet, but usually when we speak of Internet Identity, we are discussing the relationships between individuals and online service providers, as opposed to users of internal enterprise systems.  In this context, at least two major characteristics of Internet Identity Management are substantially different than Enterprise Identity Management.

  1. Super-scale. Internet Identity systems must scale to accommodate hundreds of millions or billions of individual Identities, as opposed to hundreds of thousands in the largest enterprise Identity systems. Internet scale is enormous.  Billions of people in the world have online accounts, and most online users have several online accounts, often across multiple devices.   The administration of these enormous quantities of identity credentials is currently highly redundant, error prone and costly.  Yet demands for privacy and security impose high standards on these Identity systems.
  2. User-managed Identities.  Rather than supporting the typical “assignment” and “administration” of identity credentials in enterprise setting, Internet Identity systems typically allow users to “choose” and “manage” their own identity credentials.  Ubiquitous standard methods do not yet exist to allow a common set of Identity credentials, managed by individual users, to be used with multiple online service providers.  The current default method is for each service provider to act as its own “Identity Provider” as well as being a “Service Provider” or “Relying party” that accepts a standard credential.  For example, Google, Yahoo, Facebook and Amazon.com each operates its own Identity Provider function without allowing a user to use a common set of identity credentials across all these major service providers.  While technical standards exist to enable a common Identity Provider serving multiple relying parties, we have not yet seen broad acceptance of an Identity Provider / Relying Party Identity infrastructure.

Multiple companies such as Facebook, Google, Yahoo, PayPal and Equifax have expressed interest in becoming Identity Providers for the Internet.  Certainly they have demonstrated the ability to provide highly performant systems at Internet scale.  Some relying parties have begun to demonstrate acceptance of Identity credentials from such Identity Providers, but clear winners haven’t yet emerged.  For example, Facebook and Google both provide facilities for other online sites to accept their Identity credentials, but uptake by relying parties has been fairly limited so far.

The biggest obstacles slowing widespread acceptance seem to be:

  1. Business Model. Lack of a clear financial business model to support the separation of Identity Providers from relying parties.  It is yet unclear what financial compensation should be provided to an Identity Provider by a Relying Party.  What business model is financially sustainable? 
  2. User Control.  The desire of big service providers to maintain exclusive control over their own user base.  Online service providers recognize that huge value is inherent in a large user base, particularly when combined with usage data that can be mined to provide context and preference information as discussed in my recent blog post.
  3. Ease-of-use vs. Security. Tension that exists between the need for a secure Identity credential system and the need for extreme ease-of-use by online users.  Some methods, such as Infocard/Cardspace and OpenID, have definite ease-of-use advantages over traditional systems, but serious concerns exist about whether either system can support high levels of security or Identity Assurance.

An example of cooperative efforts to address these challenges is the US Government Open Identity Initiative, which seeks to leverage existing industry credentials for Federal use of Internet Access.  Trust frameworks from organizations such as the Kantara Initiative, OpenID Foundation, InfoCard Foundation and InCommon Federation are being considered.  Google, Yahoo, Paypal and Wave are participating in this project as Identity Providers.  While the current focus is on enabling Infocard/Cardspace and OpenID for low-security access to government websites, concern has been expressed that neither method would be sufficient for higher security needs.

Recommendations:

The following questions may be in order as you consider how your organization will address Internet Identity:

  1. How many online users do you have now?
  2. How fast are you growing?
  3. What specific security and privacy assurance levels must you provide?
  4. How could easy-to-use, yet highly secure Identity credentials help you and your users?
  5. Will you be willing to rely on a third party Identity Provider to authenticate users to your site?
  6. What control do you want to entrust to your users to manage their own Identities?
 

Identity Trend 9: Identity Analytics

Identity
Author: Mark Dixon
Tuesday, October 27, 2009
2:08 pm

Buffer

This post is the ninth in a series of eleven posts I am writing about key trends in the Identity Management industry.

Whenever data is amassed and made available for analysis, the odds are great that someone will  figure out ways to derive new meaning from this data.  So it is with data related to personal Identity.  I believe we will see an explosion of data analytics being applied to Identity-related data for a number of applications.  Three emerging areas are briefly described in this post.

Authentication/Discovery

imageConsiderable evidence is available to show how each of us is progressively establishing a historical, logical  “fingerprint” based on our personal patterns of accessing online resources.   In a blog post entitled, “Anonymized Data Really Isn’t,” I discussed how correlating “anonymized” data with seemingly unrelated publicly available data can pinpoint personal identities with frightening accuracy. 

In his address at Digital ID World, Jeff Jonas’ discussion about using data analytics to discover space-time-travel characteristics of individuals was both challenging and disturbing.  Mobile operators are accumulating 600 billion cellphone transaction records annually and are selling this data to third parties who use advanced analytics to identify space/time/travel characteristics of individual people, to be used for authentication and focused marketing activities.

I expect we will soon see many ways data analytics will be used for both positive and negative purposes, to very accurately identify individual people and leverage that identification for authentication and personalization purposes.

Context/Purpose

imageJust like data analytics can be used to identify who we really are, these methods can be leveraged to personalize the experience online users have with each other and with online applications.  As I discussed in my Identity Trend blog post about Personalization and Context, personalization increases the value of online user experience by presenting relevant content to a specific user at a particular time and tailoring the user experience  to fit what a user is doing at that time.  Data analytics can be used to evaluate both real time and historical information to answer questions such as:

  • What are you doing now?
  • What did you do recently in a similar circumstance?
  • Will historical patterns predict your preferences?

Perhaps the best-known example of this is Amazon.com’s recommendation service illustrated in the photo above.  In this case, based on my historical purchase pattern, Amazon recommended two books to me.  Ironically, Amazon recommended I purchase Seth Godin’s book entitled “Permission Marketing, which addresses some of these very issues we are addressing in this post.  In the next few years, we will most likely see more powerful and refined recommendation engines based on complex data analytics, adapted to a wide variety of user interfaces.

Auditing

imageThe big question surrounding IT auditing is, “Who really did what, when and where?”  While many tools exist for maintain audit trails and evaluating compliance with audit policy, I believe we will see and emerging class of tools to evaluate audit trails and logs in ways not anticipated by current tools.  A few examples:

Sophisticated ad hoc analytics may make it easier to discover patterns of fraudulent access that may be missed by more structured audit tools. 

Enhanced analytics may help improve the business role discovery process by detecting obscure usage trends in log data.

Recommendations:

Some questions you may consider to explore how Identity Analytics may affect your enterprise include:

  1. What Identity data do you currently store?
  2. What related data do you store that could be correlated with Identity data?
  3. Can data analytics be used to correlate data you store with publicly-available data to provide value to your enterprise and your customers?
  4. What additional business value could accrue to your organization base on such analytics?
  5. That privacy and security threats may exist to your employees and your organization if advanced analytics are used to correlate publicly-available data with data you make available?
  6. How could data analytics related to Context and Preference be used to enhance the way users interact with your organization?
  7. How can advanced analytics help you combat fraud or other cybercrime?
  8. How can you use advanced analytics to improve corporate processes?
 

Identity Trend 8: Personalization and Context

Identity
Author: Mark Dixon
Tuesday, October 27, 2009
10:51 am

Buffer

This post is the eighth in a series of eleven posts I am writing about key trends in the Identity Management industry.

Much of the work I have been doing with Sun Microsystems during the past year has been focused on how to leverage Identity to enhance personalization of user experience across multiple “screens of your life.”  Project Destination, a Sun initiative which I lead, is all about enhancing online user experience through “Identity-enabled Service Orchestration and Delivery.”

Personalization increases the value of online user experience by presenting relevant content to a specific user at a particular time and tailoring the user experience  to fit what a user is doing at that time.  An effective combination of Identity and Context is essential for personalization.

Context refers to the idea that computer systems and networks can both sense and react based on their environment. For example, devices may have information about the circumstances under which they are able to operate and based on rules, or an intelligent stimulus, react accordingly.  Context is not simply a state, but part of a process in which users are intimately involved and user interfaces are adapted in real time to accommodate changes in user or system context. For example, a context aware mobile phone may know that it is currently in the meeting room, and that the user has sat down. The phone may conclude that the user is currently in a meeting and reject any unimportant calls. Context-aware systems are concerned with the acquisition of context, the abstraction and understanding of context, and application behavior based on the recognized context. Context awareness is regarded as an enabling technology for ubiquitous computing systems.  The Wikipedia article, “Context Awareness,” provides more details and valuable links to material on the subject.

The emergence of Context as a key component of personalization will likely accelerate as service providers seek to answer demand for the delivery of identity-enabled, highly personalized, blended services to subscribers of modern networks.

imageCombining a third element, “Preference,” will enable further personalization.  In a blog post entitled, “Identity, Context, Preference and Persona,” I proposed that the concept of persona is best understood as the intersection of three elements: 

  • Identity = who I am
  • Context = what I am doing
  • Preference = what I want
  • Persona is not just a partial projection of one’s identity.  It must take into account the context in which a person exists at the moment, and the preferences the person makes relative to that particular situation. Personalization of a product or service must be synchronized with the persona of a person at any relevant point in time – his or her current persona.

    I expect that two key context-enabled concepts will continue to gain more focus in the near future:

    1. Selective Personae refers to the ability of a person to choose which persona he or she desires to use in a particular context to enable certain types of online experiences.  For example,  online systems (such as BigDialog, a project directed by eCitizen Foundation and Massachusetts Institute of Technology) are emerging to enable citizens to interact more effectively with government officials.  In such a case, a context-driven, selective persona system may validate that a user is indeed a citizen, but allow the user to specify how much personal information (e.g. age, marital status, race) he or she wishes to expose for a particular conversation.
    2. Purpose-driven Web refers to providing a context-driven online experience focused on what a person is doing or wants to do at a particular time, not just what sites the person may be visiting on line.  For example, at the recent DIDW conference, Phil Windley, founder of  of Kynetx proposed to enable contextualized, purpose-based user experiences using the web browser as a point of integration.

    Recommendations:

    Consider questions such as these to determine how your organization can leverage Context to enhance user experience:

    1. How can a more personalized user experience strengthen the relationship between my customers and my organization?
    2. What new business opportunities can we leverage if we can deliver better user experience to our users?
    3. In what different contexts (e.g. in-store, via web browser, with mobile phone, via TV, at home, at work, during travel) do my user interact with my organization?
    4. How can we augment Identity information we have about users with contextual information to further personalize user experience?
    5. How can information I have collected about user interactions with my organization be leveraged to further personalize a user experience?
    6. What privacy and security regulations limit how we can leverage user information?
    7. Can we effectively leverage user opt-in or opt-out techniques to meet individual user preferences?
    8. How can we leverage new context-driven concepts such as Selective Personae or Purpose-driven Web to personalize the user experience for our customers?
     

    Identity Trend 7: Regulation and Compliance

    Identity
    Author: Mark Dixon
    Tuesday, October 27, 2009
    9:40 am

    Buffer

    This post is the seventh in a series of eleven posts I am writing about key trends in the Identity Management industry.

    imageGovernment regulations have been enacted to address problems problems with fraud, governance, security and privacy arising in various industries.  For example, the Sarbanes-Oxley Act of 2002 (Sarbox) was intended to make corporate governance practices more transparent and to improve investor confidence. It addressed financial control and financial reporting issues raised by the corporate financial scandals, focusing primarily on two major areas: corporate governance and financial disclosure.

    Government regulations tend to become more complex and far-reaching over time.  For example, to address the challenges of security and privacy, the Health Insurance Portability and Accountability Act (HIPAA) was enacted by Congress in 1996 to establish national standards for use of health care records. HIPAA provided a foundation upon which multiple regulations have been based to address issues with the administration and protection of sensitive medical records information.

    Title XIII of the American Recovery and Reinvestment Act of 2009 (ARRA), also known as the Health Information Technology for Economic and Clinical Health Act (HITECH) includes a section that expands the reach of HIPAA by introducing the first federally mandated data breach notification requirement and extending HIPAA privacy and security liability to business associates of "covered entities" (generally, health care clearinghouses, employer sponsored health plans, health insurers, and medical service providers that engage in certain transactions on behalf of individuals).

    The current trend to more extensive government regulation of industry will likely continue or escalate, placing additional burden on enterprises to comply with increasingly complex compliance mandates.

    imageA second source for industry regulations comes from industry itself.  For example, the Payment Card Industry (PCI) Data Security Standard (DSS) is a global security standard for safeguarding sensitive credit card data.  This standard was established by PCI Security Standards Council, an organization founded by industry leading enterprises: American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa, Inc. The standard was created to help organizations that process card payments prevent credit card fraud through increased controls around data and its exposure to compromise.

    Identity and Access Management (IAM) is a critical enabler for compliance with government and industry regulations.  For example, Sarbox requirements for fraud reduction, policy enforcement, risk assessment and compliance auditing are supported directly by IAM technology and methods. By streamlining the management of user identities and access rights, automating enforcement of segregation of duties policies, and automating time-consuming audits and reports, IAM solutions can help support strong security policies across the enterprise while reducing the overall cost of compliance.

    Similarly, IAM technology and processes, which control user access to data, applications, networks and other resources, can directly support HIPAA/HITECH requirements for privacy, security, auditing and notification.

    Recommendations:

    Practical experience in the field gained as many enterprises have implemented IAM systems to support compliance efforts has yielded several recommended best practices for implementing IAM systems to enable HIPAA/HITECH compliance.  The following list of best practices will be explored in more detail in a subsequent blog post:

    1. Understand regulatory requirements that apply to your enterprise.
    2. Recognize IT’s critical role in the compliance process.

    3. Understand the role of IAM in supporting compliance.

    4. Think of compliance as a long-term program, not a single project.

    5. Establish compliance policies. principles should be documented as a foundation upon which to build policies, practices and strategies.

    6. Develop a business-driven, risk-based, and technology-enabled compliance strategy.

    7. Collaborate with your business partners and associates.

    8. Establish a governance process.

    9. Implement your strategy in phases.

    10. Follow established standards.

    11. Give real-time visibility into compliance status, progress and risks.

    12. Unify disparate compliance efforts.

    13. Assess progress and adjust as necessary.

     
     
     
     
     
    Copyright © 2005-2013, Mark G. Dixon. All Rights Reserved.
    Powered by WordPress.