I heard my first speech from Cory Doctorow at the Gartner IAM Summit this morning. He gave an interesting overview of the history of digital copyright law and attempts to enforce limited access by schemes such as Digital Rights Management and encrypted data streams. He expanded beyond this basic overview to discuss how current laws make it illegal to reveal hidden flaws in software and devices. Some points I found particularly thought-provoking include:

• The 1998 Digital Millennium Copyright Act  which criminalized breaking Digital Rights Management methods, wasn’t very effective, because people who were willing to break existing laws to steal content didn’t mind breaking another law.
• Current copyright laws designed to make it illegal to know how DRM or encrypted streaming video devices work (e.g. Netflix player devices) also make it illegal to reveal flaws in our computers.
• These laws may stop honest people, but support bad guys’ efforts to discover and weaponize vulnerabilities.
• The NSA and its British equivalent spent billions of dollars per year to find vulnerabilities in devices, but don’t reveal what they have found.
• Back doors to systems (such as government-requested back doors to encryption algorithms) have no allegiance.  We must assume that such back doors will be used for evil as well as good purposes.
• Be suspicious of any software you cannot audit or inspect. How else can you know what lurks therein?
• Remember – the capacity for human self-deception is bottomless. Will technology set us free or enslave us?

Interesting ideas worthy of further investigation.  The concept of unintended consequences certainly applied here.

Yesterday, at the Gartner Identity and Access Management Summit, Earl Perkins, Gartner’s Research Vice President in Systems, Security and Risk, gave a thought-provoking talk, proposing that Identity and Access Management as it is today is not going to cut it for the Internet of Things. Some the highlights include (filtered through the lens of my interpretation):

• IoT can be described as as set of devices that can sense and interact with the world around it. Such devices can sense, analyze, act and communicate.
• Devices, services and applications are creators or consumers of information, and must join humans in having identities.
• Architectural concepts of IAM may still hold, but the scale will be vastly larger and must accommodate more than human identities.
• Perhaps the word “thing” should be replaced by the term “entity”
• Every entity has an identity
• We need a model of entities and relationships between these entities.
• We must address layered hierarchies of identities.
• We should not separate device management and identity management systems.
• Identity Management and Asset Management systems will likely converge.
• Identity and Access Management may become:
• Entity Relationship Management
• Entity Access Management
• We may think of architectures in four levels: things, gateways/controllers, connectivity, applications and analytics.
• Two major camps of consumption: Enterprise (where more money is currently being spent) and Consumer (which is hot and sexy, but not currently making much money).
• Strong year-over-year IoT growth is happening in four industry sectors:
• Automotive – 67% CAGR
• Consumer – 32% CAGR
• Vertical specific – 24% CAGR
• Generic business – 44% CAGR
• Companies are “throwing jello against the wall” to see what sticks.

I really like Earl’s ideas about convergence of “entities” and “relationships” between entities.  Please note my blog post Identity Relationship Diagrams  posted in March 2013.

I also favor his view that identity management should not be separate from device management.

It will be interesting to see how architectures are transformed and what “jello sticks to the wall” in the coming years.