My thoughts for this post were triggered primarily by two items – me beginning to read “Emergence of the Relationship Economy”  and reading Nishant Kauskik’s tweet Monday:

Is Identity The New Perimeter? – http://t.co/gSQwni5d. Check out the article to see my answer. Hint: It might surprise you. #IAM

I was intrigued by the subsequent conversation:

Ian Glazer:  Good read: http://t.co/gVQHy7MI @NishantK says #IAM is the perimeter. I say relationships are the perimeter. Probably ought to blog this

Dave Kearns:  RT @lpeterman: @iglazer @NishantK Relationships designate the borders of the identity perimeter

Nishant: @iglazer If an account being provisioned to a person is a relationship, if attributes are related to a person, then IAM=Relationship M. So..

Nishant:  @iglazer So…, question is what is the difference between Identity Management and Relationship Management? Where is the separation?

Of course, there were also bits of levity:

Paul Madsen: My take? Circumference is the new perimeter.+

Dave Kearns:  RT @NishantK: @iglazer what is the difference between Identity Management and Relationship Management? Oprah’s name doesn’t come up in IdM

First, I agree that from an information security standpoint, the perimeter has drastically shifted. There is no longer a firm physical or logical perimeter around an enterprise that can be hardened sufficiently to minimize risk to the people and systems inside.

To realize that we must focus on the individual rather than the enterprise boundary as a first line of action and defense certainly seems wise to me.

But what is the correct terminology?  is IAM really Relationship Management?  Is Identity the New Perimeter?  Are Relationships at the real border?

Although I am late to the conversation, here are a few of my thoughts on the subject:

A digital Identity represents a single person or thing in some way.  A digital Identity can certainly include attributes or characteristics that uniquely identify such a person or thing.  A digital Identity surely has value and meaning in and of itself.  However, I believe relationships are what give Identities real substance, particularly as we consider the subject in light of current and emerging business models.

Real-world relationships constitutes linkages between individuals, or between individuals and organizations, or between individuals and things. We may describe digital relationships as the attributes, permissions, entitlements and roles that define how digital identities are linked with organizations, people or things in the overall ecosystem in which the identities reside or participate.

So, is it appropriate to talk about “Identity Management” or “Relationship Management?”  I propose that both are included in the common definition of Identity and Access Management.  Surely, IAM includes managing individual digital identities (e.g.- names, attributes, credentials).  However, IAM also includes the management of relationships – assignment of entitlements to an identity is a good example.

However, I think “management” is the term that is out of whack – not identity or relationship.  Management typically implies one way force, control or direction.  This is the case for traditional IAM – the enterprise creates, owns and governs the identities and associated relationships for all of its users.

On the other hand, in the philosophy behind personal identity management implies that each individual should create, owns and governs his or her own Identity free of coercive control from an enterprise.

I don’t think the boundary is as cut and dried as that.  It is helpful to consider what enterprises really want and what individuals really want.  If we look at the issue that way, I think the verbs “enable” and “protect” are more descriptive than “manage.”

As an individual, I want to participate in systems that “enable” me (as defined by my digital identity) to form relationships that deliver value to me.  I also want systems that “protect” both my identity and the relationships I enter against threats from impostors, thieves and vandals.

On the flip side, I think enterprises seek similar value.  They want to “enable” their users (think digital identities) to establish relationships with systems, people and things that will deliver value to the enterprise.  They also want to “protect” the identities and relationships of their users against threats from bad folk.

The CRM/VRM debate is an example of looking at relationships from different viewpoints.  At one extreme is the enterprise wanting to exert onerous control over all its customers to maximize commerce – hence customer managed by enterprises.  At the other extreme is the enlightened consumer wanting to be free from enterprise tyrany – or vendors managed by consumers.

However, the optimal answer probably somewhere on the scale between the extremes.  In both cases, if we concentrate on what both parties really want, we will progress to a more optimum solution.

If we are to progress toward a highly cooperative ecosystem where multiple  relationships deliver superior value as envisioned by “Emergence of the Relationship Economy,” we must build infrastructure to “enable” and “protect” identities and relationships from multiple points of view.

 

When I grew up on the farm in Idaho, calving was a great event – a new little calf coming into the world.

Calving of glaciers are a completely different thing – but still amazing, as shown in this video, which is reported to be the “largest glacier calving ever filmed.”

Hope you enjoy this spectacular video as much as I did.

Hello my friends and colleagues on the East coast of the US!  NASA is watching over you!

Hope you remain safe from the ravages of this big storm.

Ironically, a couple of weeks after the @OracleIDM #authchat Tweet Jam about trends in authentication was held, NIST released DRAFT Special Publication 800-63-2, Electronic Authentication Guideline, over 110 pages of scintillating reading on the subject:

This recommendation provides technical guidelines for Federal agencies implementing electronic authentication and is not intended to constrain the development or use of standards outside of this purpose. The recommendation covers remote authentication of users (such as employees, contractors, or private individuals) interacting with government IT systems over open networks. It defines technical requirements for each of four levels of assurance in the areas of identity proofing, registration, tokens, management processes, authentication protocols and related assertions. This publication will supersede NIST Special Publication 800-63-1.

No, I haven’t read the entire report, but I did skip forward to page 102 because the table of contents promised a discussion of “Password Entropy,” and I really like the word “entropy.”  But alas, the most profound thing I read was the obvious: “Empirical and anecdotal data suggest that many users choose very easily guessed passwords, where the system will allow them to do so.”

Enjoy!

A interesting article published Sunday in Marketing Land was entitled, “Game Over: Twitter Mentioned In 50% Of Super Bowl Commercials, Facebook Only 8%, Google+ Shut Out.”  According to the article,

Twitter was mentioned in 26 of 52 national TV commercials — that’s 50 percent of the spots that aired during CBS’ game coverage. Facebook was mentioned in only four of those commercials — about eight percent. Google+, which is reportedly the No. 2 social network in the world, wasn’t mentioned at all.

At first blush, it would seem that Twitter might be gaining on Facebook in popularity.  However, I think another reality is at play here.  Twitter is really a broadcast medium – ideally suited to quick 30 second commercials of the Superbowl variety.  Plus, hashtags are easy for advertisers tto include in a commercial and easy for readers to reference after the fact.

Facebook is more of a relationship medium – better suited to conversations among people and without the relative ease of using hashtags.

But this is interesting just the same.  Marketing experts and wannabees will be debating over this for months.  Will Facebook start supporting hashtags in some interesting way?

My Dad once told me, “If you keep your eyes and ears open, you’ll learn something new every day.”

Today, I stumbled across that new thing on Twitter.  Thank you @rmogull, for pointing out @451wendy‘s blog, “Idoneous Security.”

What a great word! It describes just how much security we need – the appropriate amount.  Not too much, not too little, just idoneous.

Plus, for good measure, Wendy’s blog post today was hilarious.

This week’s Oracle Information InDepth Security newsletter, “Inside Out Edition,” featured comments from Vadim Lander, Oracle’s chief identity architect on key trends that will shape identity management in 2013 and beyond. The trends he described are:

1. Mobility Is Gaining Momentum
2. Identity Management as a Service Is Emerging
3. A Trend Towards Portable Identity
4. Authentication Services Are Evolving
5. Organizations Continue to Move from Silos to Centralized Systems

I was particularly intrigued by his comments on portable identity:

I expect Oracle customers using Oracle applications via SaaS will increasingly use their Oracle Cloud identity as the identity for a chunk of their user populations, rather than trying to maintain multiple identities in their on-premises system.  Since Oracle is already maintaining a cloud identity for every Oracle Cloud user, that identity is portable as far as the user is concerned. Even if users leave the organization, their Oracle identity can still belong to them as they change jobs. Just as your Google or Facebook identity can provide portability, your Oracle identity may be able to provide the equivalent in a business context.

Oracle as businss IdP?  Intriguing thought.

Last week, I participated in the first IAM Tweet Jam led by Mike Neuenschwander on @OracleIDM to discuss Authentication trends and predictions for 2013.  I really enjoyed the interchange of ideas and insight about such a timely topic in Identity Management

Today, the highlights of the Tweet Jam were posted on Storify.  I was pleased to see that my concluding tweet was published:

I look forward to participation in further IAM Tweet Jams.

Thanks, Mike, for hosting this event.

This is so cool …from the daily NASA photo stream:

NASA astronaut Kevin Ford, Expedition 34 commander, watches a water bubble float freely between him and the camera, showing his image refracted, in the Unity node of the International Space Station.

A colleague referred me today to a long, but very useful technical report, “Common Sense Guide to Mitigating Insider Threats, 4th Edition,” published in December 2012 by the CERT® Program at Carnegie Mellon University.  The report abstract states:

This fourth edition of the Common Sense Guide to Mitigating Insider Threats provides the most current recommendations of the CERT® Program (part of Carnegie Mellon University’s Software Engineering Institute), based on an expanded database of more than 700 insider threat cases and continued research and analysis. It introduces the topic of insider threats, explains its intended audience and how this guide differs from previous editions, defines insider threats, and outlines current patterns and trends. The guide then describes 19 practices that organizations should implement across the enterprise to prevent and detect insider threats, as well as case studies of organizations that failed to do so.

It was interesting to read how the patterns and trends that they team observed indicated four classes of malicious insider activity:

1. IT sabotage—an insider’s use of IT to direct specific harm at an organization or an individual
2. theft of IP—an insider’s use of IT to steal IP from the organization. This category includes industrial espionage involving outsiders.
3. fraud—an insider’s use of IT for the unauthorized modification, addition, or deletion of an organization’s data (not programs or systems) for personal gain, or theft of information that leads to an identity crime (e.g., identity theft or credit card fraud)
4. miscellaneous—cases in which the insider’s activity was not for IP theft, fraud, or IT sabotage

The following chart shows the top six infrastructure sectors for the three most important classes: Fraud, Sabotage, and Theft of IP:

The nineteen practices that are include in the report are:

1. Consider threats from insiders and business partners in enterprise-wide risk assessments.
2. Clearly document and consistently enforce policies and controls.
3. Incorporate insider threat awareness into periodic security training for all employees.
4. Beginning with the hiring process, monitor and respond to suspicious or disruptive behavior.
5. Anticipate and manage negative issues in the work environment.
6. Know your assets.
7. Implement strict password and account management policies and practices.
8. Enforce separation of duties and least privilege.
9. Define explicit security agreements for any cloud services, especially access restrictions and monitoring capabilities.
10. Institute stringent access controls and monitoring policies on privileged users
11. Institutionalize system change controls
12. Use a log correlation engine or security information and event management (SIEM) system to log, monitor, and audit employee actions
13. Monitor and control remote access from all end points, including mobile devices.
14. Develop a comprehensive employee termination procedure
15. Implement secure backup and recovery processes
16. Develop a formalized insider threat program
17. Establish a baseline of normal network device behavior
18. Be especially vigilant regarding social media
19. Close the doors to unauthorized data exfiltration.

All in all, it is a very insightful and helpful report.