During the second and third weeks of November, I will have the distinct pleasure of accompanying Michelle Dennedy, Chief Governance Officer of Cloud Computing for Sun Microsystems, in a series of three CIO Roundtables in New York, San Francisco and Washington, DC, and two CIO breakfast seminars in Toronto and Vancouver, Canada. 

Sponsored by Sun and moderated by CIO Magazine executives, these events will address the topic, “Identity Management – Pathway To Enterprise Agility”,  providing excellent forums to discuss such pertinent questions as:

1. How does strategic Identity Management contribute to business growth and not merely fulfill technology “need to do” requirements?
2. What Identity Management steps should you take to enhance business effectiveness?
3. How can good security governance is be good business?
4. Is your Identity Management system tuned for emerging marketplace requirements?
5. How does Identity Management address cloud computing?
6. How is Identity Management is enabling enterprises to capitalize – and not merely cope with – these realities?

To read more information about specific locations, including registration information, you can download .pdf fliers for each event:

1. Washington, DC – November 10th
2. New York, NY – November 11th
3. San Francisco, CA – November 12th
4. Vancouver, BC – November 13th
5. Toronto, ON – November 17th

Thanks! Hope to see you there.

This post is the third in a series of eleven posts I am writing about trends in the Identity Management industry.

One might say that simple authorization is like permitting entry through the front gate of an amusement park, while fine grained authorization is like granting access to each individual attraction within the amusement park separately, based on some sort of policy.  Following this analogy, the most common method of Identity Management Authorization is like a full-day pass to Disneyland granting access to the front gate as well as every ride in the park.  Similarly, simple Identity Management authorization allows access to all functions within an application.

However, a trend is growing towards using standards-based, fine grained authorization methods to selectively grant access to individual functions within applications, depending on user roles or responsibilities.  For example, one user could be granted access to only simple data browsing privileges, while another user could be grated data creation or edit privileges, as determined by a policy stored in XACML format.   The definition and enforcement of this fine-grained authorization would be externalized from the application itself.

At the present time, fine grained authorization is desirable but difficult to implement.  It appears to be easier to define and control policies in an Identity system than changing each application to rely on an external system for authorization policy. 

Much is being discussed about policy management standards (e.g. XACML).  Several vendors are effectively demonstrating interoperability based on XACML, but such systems are not yet in broad production.

Recommendations:

As progress is being made in both management of standards-based policies and the enforcement of such policies within applications, the following questions could be considered:

1. Which of your applications could benefit most from fine-grained authorization?
2. How would externalizing policy management and enforcement streamline your applications?
3. How could standards such as XACML improve the management of security and access control policies in you organization?

Dare we think that Twitter might actually improve our quality of life?  Just ask Dilbert.

This post is the second in a series of eleven articles I am writing about trends in the Identity Management industry. 

After all is said and done, Authentication continues to be right at the heart of Identity Management.  Determining whether the correct set of Identity credentials is presented, so a person or process can be granted access to the correct system, application or data, is critical to the integrity of the online experience.   Authentication is like the gatekeeper or enforcer who determines who gets in the door. 

1. Demand for strong authentication is accelerating as the sophistication and sheer numbers of people who would defraud or damage online systems continue to grow.  More effort is being focused on just how to economically, but securely, implement strong authentication methods to protect confidential information.
2. As the need for strong authentication grows, there has been considerable conversation about whether the pervasive use of passwords is headed for extinction.  Is the password really on its deathbed? In a Network World column posted earlier this year, Dave Kearns equated passwords to buggy whips.  In my response entitled Passwords and Buggy Whips, I challenged “Replace username/password with what?"  Until we get wide acceptance of alternate methods, it is unlikely that passwords will join buggy whips in the dustbin of history.
3. In a subsequent post entitled, Seat Belts and Passwords … and Buggy Whips, I proposed that “until ease of use makes passwords irrelevant, people will continue to use buggy whips or drive without seat belts.”  The key issue dogging the industry is how to provide identity credentials that are so easy to use that the technical unsavvy majority can easily use them while providing a level of security commensurate with the rising tide of online threats.

Recommendations:

1. Assess what level of security is needed for different areas of your enterprise.  In some cases, authentication must protect high value information.  In other cases, less strong authentication may be appropriate.
2. Seek to understand what your users need.  What methods are both secure and easy to use for them?
3. Is the cost of strong authentication commensurate with the risk of data loss or compromised system access?
4. What is the best combination of authentication methods to serve my user community and protect my business interests?

Many years ago, while involved in a large physical security project, we joked that you need to invest enough in your security system so it is cheaper to bribe the guard than to breach the electronic system.  The same principle may be true with Identity Authentication.

As I slept last night, my Twitter follower count edged above 1,000. In light of the fact that President Obama has 2,278,978  followers and even John McCain has 1,446,896, all this proves is that I am firmly entrenched way out on the long tail of the Twitter economy.

A provocative line in a song I have known since childhood declares, “Time flies on wings of lightning. We cannot call it back … ”

Based on an embarrassing social networking experience I had yesterday, I think we could safely paraphrase: “Words fly on wings of lightning. We cannot call them back!”

It all started when I noticed a comment from a prolific tweeter from London:

if you are retweeting something from google in order to get a wave invite then you are a <deleted>. and so are they. that is all.

Since I had just done that abominable thing, I quickly looked up <deleted> in the dictionary and posted this tweet:

Just learned a new word:  <deleted> = contemptible person; jerk.  Based on Twitter commentary, I must be one. 🙂

When that tweet reached Facebook, it triggered a small avalanche of comments.  It was great to see a friend speak up and say:

you are definitely not a <deleted>.

It was also nice to hear from a young man who used to live next door, but whom I haven’t seen in many years:

…my brother calls me a <deleted> all the time. I’m glad to get a definition on that…..sort of.

But I started to wonder what I had done when an acquaintance suggested:

Tip: Don’t have this conversation with anybody from the UK…. 🙂 … It has a very specific meaning across the Atlantic, one that is best left unexplained on a public forum 🙂

What had I done?  I quickly dug a bit deeper into the meaning of <deleted>, only to find he was exactly right.  I shouldn’t be using such language in a global forum.

Well, words had flown on wings of lightning.  I even tried to call them back via Twitter:

Actually, when I looked into it, it is definitely British slang that is not used in polite company.  Oops!

And later:

Lesson learned today: Be very, very wary of repeating slang used by a tweeter from another country.  Could be very embarrassing.

It was heartening to hear from some friends who obviously had a chuckle, but questioned my motives at first:

Whew! I frankly was a bit surprised to see the Mark Dixon I know using that term. We all learn something new every day!

Yeah Mark, I was gonna jump in and say something, but then I realized i have no business correcting anyone’s language.

LOL, I was wondering when you’d figure that word out. 😉

Well, I have been painfully reminded again that we must be very careful about what we sling out into cyberspace.  Words do indeed fly on wings of lightning!

This post is the first in a series of eleven posts I am writing about trends of key importance to the Identity Management industry.

As the following series of photos shows my son Eric progressing from infancy to young adulthood, the Identity Management market has matured, but still has a bright future ahead.

The Identity Management industry has been building for about a decade.  The market is definitely maturing out of adolescence into young adulthood.  Key characteristics of this maturing market include:

1. Much focus is being given to best practices of how to maximize enterprises’ investment in these systems.  Rather than focusing on green field Identity implementations, enterprises are concentrating on system refinement, expansion or replacement.
2. While the industry quite universally agrees that “quick wins” are essential first steps to implementing Identity Management systems, significant additional value can accrue as enterprises expand the reach and scope of their Identity infrastructure.
3. The importance of Identity governance is becoming entrenched in enterprise culture, as holistic initiatives to address the broad areas of governance, risk and compliance recognize the critical importance of Identity Management in these processes.
4. Experience has shown that Identity Management is a journey, not a destination.  Enterprises are recognizing that they must approach Identity Management as a long-term program, not a single project.
5. The industry continues to consolidate, as we at Sun are well aware.  While there are still several emerging niche companies, larger vendors offer complete suites of Identity Management products.
6. The major business drivers for investing in Identity Management systems still continue to be regulatory compliance, operational efficiency/cost and information security.  However, more focus is being placed on Identity as a key enabler of customer satisfaction through context-aware personalization.
7. Identity Management is also moving down market, particularly as vendors and systems integrators are addressing the issues of rapid deployment and reduced pricing for smaller businesses.

Recommendations:

In light of this maturing industry, I recommend that enterprises concentrate primarily on the business value Identity Management can deliver.  Questions such as these are appropriate:

1. Where am I on the journey to implement Identity Management in my enterprise?
2. Where has Identity Management already delivered value to my business?
3. Where else can Identity Management deliver value?
4. How can Identity Management enable Privacy and Security?
5. How can Identity Management enable compliance?
6. How can Identity Management increase efficiency and reduce cost?
7. How can Identity Management enable a better user experience to my customers?