Some interesting ideas are swirling in my mind in response to Ian Glazer’s challenge, “Killing IAM in Order to Save It” and Dave Kearn’s article “Pervasive and Ubiquitous Identity.”

Whether or not we need, as Ian suggests, to completely restructure IAM systems in order to progress is still subject for debate, but the concept of thinking about and representing relationships between identities in a directed graph format is intriguing to me.

According to Wikipedia, “Graph databases are based on graph theory. Graph databases employ nodes, properties, and edges.” The following diagram gives a simple example. 

 

Using this method, we can visualize identities as nodes, each with relevant properties, and relationships between identities as edges.  Interestingly, the edges, or relationships, may also have identities and properties of their own.  

As Dave suggests, identities are not only for people, but for things, platforms and services.  The simple diagram below begins to illustrate this concept:

 

 

 

The relationships (edges) are primarily verbs that describe what actions the relationship supports.  A primary role of identity management systems is to establish these relationships between people identities and service or thing identities in such a way that valuable actions can be performed.

These are a few of my thoughts.  What do you think?

PS. Can anyone recommend a good directed-graph drawing tool for Mac?

Management: the act or manner of managing; handling, direction, or control. 

Enablement: to provide (someone) with adequate power, means, opportunity, or authority (to do something)

Several years ago, I heard Steve Sanghi, Chairman, Chief Executive Officer and President, Microchip Technology Inc., talk about how organization charts should be drawn upside down from the normal downward flow from CEO to employee.  He stressed that business leaders were more effective when they served those within their sphere of stewardship, rather than directed or controlled people. Leaders should enable their people to succeed, rather that dictate from above.

It occurred to me recently that this same viewpoint may apply to Identity Management (or should we call it Identity Enablement?).  The traditional enterprise viewpoint is to tightly control the assignment of access rights to individuals, while the  seemingly opposite user-controlled identity viewpoint would allow individuals to be in charge of their own identities.

Perhaps the two viewpoints could be more harmonious if we focus on enabling individuals to get the most value out of identities and relationships, rather than controlling the relationships.

Just a thought.

Nishant Kaushik’s tweet today prompted some paranoid thoughts about the use of big data analytics.

Scary #Privacy News Day: Raytheon RIOT – http://t.co/FB4dsnjv AND Equifax selling Employer shared employee data – http://t.co/HZSeqN9E

The first article, “Software that tracks people on social media created by defense firm,” explored how Raytheon has developed a system to track us all:

A multinational security firm has secretly developed software capable of tracking people’s movements and predicting future behaviour by mining data from social networking websites. …

“Riot is a big data analytics system design we are working on with industry, national labs and commercial partners to help turn massive amounts of data into useable information to help meet our nation’s rapidly changing security needs.”

The second article, “Your employer may share your salary, and Equifax might sell that data,” stated:

The Equifax credit reporting agency, with the aid of thousands of human resource departments around the country, has assembled what may be the most powerful and thorough private database of Americans’ personal information ever created, containing 190 million employment and salary records covering more than one-third of U.S. adults.

These two articles triggered thoughts about Axciom …

[Axciom] peers deeper into American life than the F.B.I. or the I.R.S., or those prying digital eyes at Facebook and Google. If you are an American adult, the odds are that it knows things like your age, race, sex, weight, height, marital status, education level, politics, buying habits, household health worries, vacation dreams — and on and on. …

Few consumers have ever heard of Acxiom. But analysts say it has amassed the world’s largest commercial database on consumers — and that it wants to know much, much more. Its servers process more than 50 trillion data “transactions” a year. Company executives have said its database contains information about 500 million active consumers worldwide, with about 1,500 data points per person. That includes a majority of adults in the United States.        

… and Lexis Nexis:

LexisNexis … is the largest data-broker in the world. They create vast profiles on people and use that information to create various reports that they sell to companies of all kinds. These reports are used to make decisions about renting, insurance and more. In the past these reports have been purchased by law enforcement and criminal organizations; all to find out more information about you.

Are there legitimate uses for all this data? Yes.  But is there potential for illicit exploitation and mis-use of that data?  I’d bet my bottom dollar on it.  The unintended consequences of amassing all this personal data are what worry me.

I was introduced to a book I am reading, “The Emergence of the Relationship Economy,” by a tweet from Rohan Pinto:

Leadership Is In The Ideas Not The Titles http://t.co/T7KJk0JK

This led me to a compelling article by Jay Deragon, one of the authors of “The Emergence …”.  In this post, Mr. Deragon made a particularly profound statement: 

An idea is an intangible asset that can be used over and over by millions of people, improved on and rapidly shared and consumed.  Abundance of wealth is being created from these intangible assets, ideas.

The concept of a shared idea was also treated by James Gleick in his book, “The Information.”  He quoted Jacques Monod, a French Nobel Prize winning biologist:

Ideas cause ideas and help evolve new ideas.  They interact with each other and with other mental forces in the same brain, in neighboring brains, and thanks to global communications, in far distant, foreign brains.

It is this concept of evolving of ideas through sharing that intrigues me.  Although ideas germinate in one person’s mind, it is often in the sharing of those ideas with other people that ideas grow and evolve and transform into powerful concepts that can transform our lives and the world around us.

Relationships between individuals – relationships between identities – provide the environment where seeds of ideas germinate, take root and grow.  Again, although individual identities can have great power, relationships can multiply that power immensely.

The older I get (and I’m getting pretty old),  the more I realize how little I know and understand in the ever-expanding universe of information.  But I take comfort in the fact I can learn a little bit new every today.

Today, I learned about Graph Databases.  One of the questions I posed in response to Ian Glazer’s recent post, “Killing IAM in Order to Save It,” was:

Are you proposing an entirely new data structure to manage the relationship graph? Neither LDAP directories or relational databases really model the graph well, but I am not familiar with robust and proven alternate data structures that do a better job.

That shows my ignorance of emerging database technology.  After posting that comment and sheepishly realizing Ian probably knew what he talking about, I googled “Graph Database” and came up with some interesting hits.  While it appears that graph databases are still in a fairly early stages, at least for commercialized products, this technology appears to be well ensconced in the Googles, Facebooks and Twitters of the world.

A helpful article for me was “Graph Databases: The New Way to Access Super Fast Social Data,” published last fall by Mashable.  A couple of excerpts:

While we’re certainly not predicting the demise of traditional databases anytime soon, we are seeing an increasing number of applications where graph databases are being used to accelerate development and massively speed up performance. …

The complexities and dynamics of the real world, however call, for new methods. This is particularly true when the world is moving at the speed of web, and everybody is racing to get ahead of everybody else. Intricate and complex processes like human behavior, as well as dynamic interconnected systems, such as those found in nature and on the web, tend to be less static and predictable, and are ideal candidates for graph databases. 

 That sounds like Ian Glazer talking to me.

  

I look forward to learning more, and particularly extending my discussion with Ian and others on the applicability of these database for Identity and Access Management.

Vadim Lander, Oracle’s Chief Identity Strategist, recently published a compelling article in Web Security Journal entitled, “Five Steps Toward Achieving Better Compliance with Identity Analytics.”  He observes:

Enterprises are in the unenviable position of committing significant resources to compliance efforts with little assurance that they will prove successful.

Vadim recommends five steps toward more effectively leveraging identity analytics technology to assist enterprises in achieving robust identity compliance and remaining in compliance moving forward:

1. Become risk aware
2. Control privileged access
3. Automate remediation
4. Reduce the potential for audit violations
5. Take a platform approach to identity management

An excerpt from the conclusion:

Automation makes it possible to create sustainable, repeatable audit processes that enable the enterprise to address compliance in an ongoing manner without starting from scratch to address every new regulation or prepare for every audit.

Hope you enjoy the article.

In the book “The Emergence of the Relationship Economy,” Jay Deragon proposes that:

The value of the relationship is categorized into four elements of the individual, and may be of one dimension or a combination.:

1. Economic
2. Intellectual
3. Emotional
4. Spiritual

To understand the juxtaposition of Identity and Relationship, I listed some of my current relationships in the following tables:

 

People Relationships

 

The first table lists a few people relationships I have.  The first, my wife, provides value to me (that sounds kind of crass, actually) in all areas.  Her economic value comes not from revenue (she chose dual careers as  Homemaker and Stay-at-home-Mom), but in her thrift, wise use of money and sound economic advice.  In addition, I deeply value her wisdom, friendship and spirituality.

My relationship with Claudia is in quite stark contrast to my very distant relationship with my employer, Larry Ellison.  Sorry, Larry, I see the value of our relationship as primarily economic, although I must admit receiving a bit of intellectual stimulation from reading about your personal exploits.

On the other hand, my relationship with John, a colleague at Oracle, began as an economic relationship as we worked together in the sales organization, but grew into a deep friendship, with intellectual, emotional and spiritual value.

The final example is Neil, the Bishop of our church congregation and close neighbor.  We have developed a  friendship I value highly, based on strong spiritual, emotional and intellectual relationships.

It could be an interesting experience to assess the value we receive from all of the people with whom we interact in some way, but the real purpose of this post is to explore the value of relationships with information systems.   The following table illustrates a few of the systems with which I interact regularly.

 

System Relationships

 

I definitely have an economic relationship with Oracle Payroll.  Twice every month, a nice paycheck drops into my bank account, and I log onto the payroll system to see how much money I pay in taxes and investments.  While I admit to deriving some emotional satisfaction from that process, we’ll let it remain as an economic value.

In contrast, the different email systems I use can provide value across the board, as I communicate with people on a wide range of subjects.

In social networks, LinkedIn is the vehicle I use to primarily keep track of professional colleagues and associates, although I get emotional value out of maintaining and building friendships with people across miles and time.

Facebook, on the other hand, is where I actively seek to strengthen emotional and spiritual ties with friends and family.

Kindle also sweeps the board – my virtual bookshelf contains titles that provide value in all four areas.

This brings me to a couple of examples of my relationship with “things” that deliver value.  I can monitor and control my new home alarm system from an app on my phone.  The system provides economic protection and emotional peace of mind.

Finally, my remote thermometer satisfies an intellectual curiosity about how hot it is outside, here in the Arizona desert.

It is important to note that how a person uses or views a particular system may influence the value he receives.  For example, I know of people who leverage Facebook primarily for economic advantage.  I just choose not to do that.

 

So What?

How does this relate (pun intended) to Identity?  Here are a few thoughts:

1. Exposed Personae: Certainly different facets of my personal identity are exposed as I interact with different people.  Larry Ellison will never see (even if he cared to) parts of my personality that I have reserved for my closest friends.  My closest friends will never know of parts of myself I share only with my wife.
2. Context: The context of relationships differ, depending on time of day, distance apart, frequency of interaction, mutual interests, etc.  Such differing context has a large impact on the value derived from relationships.
3. Connection method:  How does the relationship connect me with the person or system?  With people, is the relationship primarily in person, by phone, via email, via  a social network or all of these?  Is a digital identity required to enable the relationship?
4. Available functionality: For systems with which I interact, what functionality is available?  What can the system deliver that delivers value to me?
5. Authorized access: Of the sum of all functionality in a system, what am I authorized to use, or what functions do I choose to use?

Focus on Value

Yesterday’s post illustrated a few cases of how relationships can exist between identities and resources or identities and people.  I propose that we should focus not which relationships exist, but on what value can be derived from each relationship.  

In interpersonal relationships, hopefully, value flows to both parties.  In the case of employee relationships with enterprise systems, hopefully value accrues both to the employee and employer.  In the case of individuals connecting to online systems or things, hopefully each person receives value from those relationships.

And Identity is at the core of making these relationships happen.

Stay tuned …

 

 

 

In line with my post yesterday about viewing identities and relationships from the vantage points of “enabling” and “protecting,” I created three diagrams to illustrate how relationships between people and resources or other people provide the opportunity for value creation.

The first diagram illustrates the relationships a person may typically have with information resources within an enterprise.  The objective of these relationships is to connect individual people with the applications or systems that may deliver value, both to the individual and to the enterprise.  Typically, these relationships are granted and governed by the enterprise.

 

 

The second diagram illustrates a person’s connection to items within the emerging Internet of Things.  In some ways, this model is similar to the enterprise model, in that connections are made between people and resources.  However, in this model, individuals typically would initiate and govern their own relationships with things that would deliver value to themselves.

 

 

In the third model, people establish relationships not just with functions or services, but with people, effectively connecting identities together via a social relationship platform.

 

 

In line with my comments yesterday, I propose that in each of these cases, relationships must be established to “enable” people to derive value they seek.  Both Identities and relationships must be “protected” to prevent the wrong people from interfering with a person’s desire to derive value from the relationship, whether it be with a function, service or other person.

That’s all tonight.  More on the morrow.

My thoughts for this post were triggered primarily by two items – me beginning to read “Emergence of the Relationship Economy”  and reading Nishant Kauskik’s tweet Monday:

Is Identity The New Perimeter? – http://t.co/gSQwni5d. Check out the article to see my answer. Hint: It might surprise you. #IAM

I was intrigued by the subsequent conversation:

Ian Glazer:  Good read: http://t.co/gVQHy7MI @NishantK says #IAM is the perimeter. I say relationships are the perimeter. Probably ought to blog this

Dave Kearns:  RT @lpeterman: @iglazer @NishantK Relationships designate the borders of the identity perimeter

Nishant: @iglazer If an account being provisioned to a person is a relationship, if attributes are related to a person, then IAM=Relationship M. So..

Nishant:  @iglazer So…, question is what is the difference between Identity Management and Relationship Management? Where is the separation?

Of course, there were also bits of levity:

Paul Madsen: My take? Circumference is the new perimeter.+

Dave Kearns:  RT @NishantK: @iglazer what is the difference between Identity Management and Relationship Management? Oprah’s name doesn’t come up in IdM

First, I agree that from an information security standpoint, the perimeter has drastically shifted. There is no longer a firm physical or logical perimeter around an enterprise that can be hardened sufficiently to minimize risk to the people and systems inside.

To realize that we must focus on the individual rather than the enterprise boundary as a first line of action and defense certainly seems wise to me.

But what is the correct terminology?  is IAM really Relationship Management?  Is Identity the New Perimeter?  Are Relationships at the real border?

Although I am late to the conversation, here are a few of my thoughts on the subject:

A digital Identity represents a single person or thing in some way.  A digital Identity can certainly include attributes or characteristics that uniquely identify such a person or thing.  A digital Identity surely has value and meaning in and of itself.  However, I believe relationships are what give Identities real substance, particularly as we consider the subject in light of current and emerging business models.

Real-world relationships constitutes linkages between individuals, or between individuals and organizations, or between individuals and things. We may describe digital relationships as the attributes, permissions, entitlements and roles that define how digital identities are linked with organizations, people or things in the overall ecosystem in which the identities reside or participate.

So, is it appropriate to talk about “Identity Management” or “Relationship Management?”  I propose that both are included in the common definition of Identity and Access Management.  Surely, IAM includes managing individual digital identities (e.g.- names, attributes, credentials).  However, IAM also includes the management of relationships – assignment of entitlements to an identity is a good example.

However, I think “management” is the term that is out of whack – not identity or relationship.  Management typically implies one way force, control or direction.  This is the case for traditional IAM – the enterprise creates, owns and governs the identities and associated relationships for all of its users.

On the other hand, in the philosophy behind personal identity management implies that each individual should create, owns and governs his or her own Identity free of coercive control from an enterprise.

I don’t think the boundary is as cut and dried as that.  It is helpful to consider what enterprises really want and what individuals really want.  If we look at the issue that way, I think the verbs “enable” and “protect” are more descriptive than “manage.”

As an individual, I want to participate in systems that “enable” me (as defined by my digital identity) to form relationships that deliver value to me.  I also want systems that “protect” both my identity and the relationships I enter against threats from impostors, thieves and vandals.

On the flip side, I think enterprises seek similar value.  They want to “enable” their users (think digital identities) to establish relationships with systems, people and things that will deliver value to the enterprise.  They also want to “protect” the identities and relationships of their users against threats from bad folk.

The CRM/VRM debate is an example of looking at relationships from different viewpoints.  At one extreme is the enterprise wanting to exert onerous control over all its customers to maximize commerce – hence customer managed by enterprises.  At the other extreme is the enlightened consumer wanting to be free from enterprise tyrany – or vendors managed by consumers.

However, the optimal answer probably somewhere on the scale between the extremes.  In both cases, if we concentrate on what both parties really want, we will progress to a more optimum solution.

If we are to progress toward a highly cooperative ecosystem where multiple  relationships deliver superior value as envisioned by “Emergence of the Relationship Economy,” we must build infrastructure to “enable” and “protect” identities and relationships from multiple points of view.

 

When I grew up on the farm in Idaho, calving was a great event – a new little calf coming into the world.

Calving of glaciers are a completely different thing – but still amazing, as shown in this video, which is reported to be the “largest glacier calving ever filmed.”

Hope you enjoy this spectacular video as much as I did.