[Log In] []

Exploring the science and magic of Identity and Access Management
Friday, December 13, 2024

I am (an honorary) Canadiam!

Identity
Author: Mark Dixon
Saturday, November 14, 2009
3:37 am

About a month ago, I received an invitation to join a new LinkedIn group, “Canadiam – IAM in Canada,” hosted by Mike Waddingham, whom I had never met in person.  Mike had recently launched a new blog of the same name, and formed the LinkedIn group to complement his blog. Mike asserted:

"Identity and Access Management in Canada is different. American identity issues are complicated by their obsession with national security. British data and privacy laws are decidedly different than ours. Identity and Access Management (IAM) implementations vary greatly from country to country. We need a ‘conversation’ about IAM in Canada. Canadiam is that conversation.”

The call for a Canadian IAM conversation is certainly timely, and I think the blog/group name is great, reminiscent of the legendary Molson Beer commercial, "I am Canadian", which Mike embedded within the maiden post on the Canadiam blog and I include here for your enjoyment.

Back in 2000 when this commercial was first released, I was employed with Oracle and doing quite a bit of work in Canada, so watching it again brought back fond memories of choice experiences I have had with great friends north of the border.

So, I joined Canadiam as an “honorary” Canadian, and enjoyed reading Mike’s posts, including “Canada’s top court enforces license photos,” and “Canadian Identity Assertion.”  Even though I don’t quite fit the qualifications specified in the Canadian Identity Assertion, I am honored to be associated.

Fast forward to yesterday morning.  I had arrived in Vancouver to participate as a panelist in the CIO Magazine / Sun Microsystems breakfast event, “Identity Management – Pathway to Enterprise Agility.”  Before joining my colleagues at the event, I took a moment to post a short message on the Canadiam LinkedIn group that I was in town and would participate in a similar event in Toronto next Tuesday.

We had a great session, moderated by John Pickett, VP & Community Advocate at IT World Canada. Michelle Dennedy and I fielded questions about Identity Management, Privacy, Security and Cloud computing from John and members of the audience.  After the session, a man from the rear of the room, who had offered several insightful comments and excellent questions, came forward to introduce himself.  It was none other than Mike Waddingham himself!  I hadn’t recognized him from his LinkedIn photo and certainly didn’t expect him to be in attendance.  I had assumed he lived in the Toronto area.  But Mike had travelled to Vancouver from his home base in Edmonton to attend the event.

I never cease to be amazed at the surprise personal encounters I have at almost professional gathering I attend, where I meet people in person for the first time after connecting previously on line.  The magic of online interaction, while valuable and delightful in and of itself, always seems to be amplified by face-to-face interaction.

So, Mike and all you Canadiams, thanks for the privilege of being numbered among you as an honorary Canadian.  Thanks for giving me another treasured “social networking moment.” I look forward to participating further in the Canadian IAM discussion.

 

Happy Veteran’s Day!

General
Author: Mark Dixon
Wednesday, November 11, 2009
11:24 pm

It’s after 11pm in my San Francisco hotel room, where I arrived after a successful meeting in New York City, a transcontinental flight and late dinner.  But I can’t go to sleep without sharing a wonderful video pointed out to me by Twitter acquaintance Mame Hampton (@momthebom).

Thanks to all the wonderful soldiers and veterans who have done so much and are continuing to serve so well to keep us free!

And thank you, Mame, for sharing this wonderful message with us.

Technorati Tags: , , ,
Comments Off on Happy Veteran’s Day! . Permalink . Trackback URL
 

Best Practices for the IAM/Compliance Journey

Identity
Author: Mark Dixon
Tuesday, November 10, 2009
3:05 am

As explained in my recent post, I am awaiting final publication of a white paper I recently authored, entitled, “Identity and Access Management – Enabling HIPAA/HITECH Compliance.”  This post is a excerpt from that paper.

In the thirteen years since the initial passage of the HIPAA act, practical experience in the field has yielded several recommended best practices for implementing IAM systems to enable HIPAA/HITECH compliance. We recommend the following:

  1. Understand requirements. By developing a better understanding of compliance requirements, how compliance affects information technology (IT), and how IT in general and IAM specifically can help support the privacy, security and notification requirements of HIPAA/HITECH, companies can establish efficient, cost-effective, and sustainable programs that address all of these complex requirements within a holistic compliance framework.

  2. Recognize IT’s critical role. In many companies, IT has evolved to become the critical backbone behind almost every operation, but many people still view technology as a cost rather than an investment or asset. By understanding the key roles that IT plays in support of HIPAA/HITECH compliance, enterprises can maximize the value of their technology investment.

  3. Understand the role of IAM. IAM plays a critical role in compliance with HIPAA/HITECH privacy, security and notification requirements.. However it does not automatically satisfy all HIPAA/HITECH requirements. Recognizing the value and the limitations of IAM in the entire spectrum of HIPAA/HITECH compliance is essential.

  4. Think program, not project. HIPAA/HITECH compliance is a journey, not a short term event. Enterprises must begin to approach compliance as a long-term program, not a single project. An effective and holistic compliance program should also incorporate governance and risk management. Boards of directors and executives are frequently being held to higher standards than ever before as they are expected to be knowledgeable about, and held liable for, everything going on within the enterprise.

  5. Establish privacy and security policy. A success privacy and security program requires a documented set of principles, policies, and practices. Using the Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information as a guide, the enterprise’s privacy and security principles should be documented as a foundation upon which to build policies, practices and strategies.

  6. Develop a strategy. The only way to effectively address the wide spectrum of compliance requirements is to integrate them into a common compliance strategy that is intertwined with the business itself. A business-driven, risk-based, and technology-enabled compliance strategy can help create enterprise value by rationalizing unnecessary complexities, driving consistency and accountability across the enterprise, and identifying opportunities for a possible enhancement of operational performance and information quality.

  7. Collaborate. HITECH extends compliance responsibility and penalties to all business associates. Work closely with your vendors and business partners to form an overall security and privacy framework, including updating legal relationship documents as ncessary.

  8. Establish a governance process. Compliance efforts affect a broad spectrum of an enterprise. Stakeholders from many organizations, often with conflicting priorities, have vested interests in the outcomes of a compliance strategy. The governance process must provide representation from the impacted functional areas of the organization. A governance board should have appropriate representation from IT, security, audit, application owners, human resources, business process owners and applicable business associates. The board should be accountable for the project objectives and be vested with authority to make program decisions. The board should be empowered to 1) establish a statement of purpose for the program, 2) promote and give visibility to the program throughout the larger organization, 3) act as a mechanism for quickly making decisions regarding program scope, issues, and risks, and 4) monitor the program health on an ongoing basis.

  9. Implement your strategy in phases. By segmenting the overall solution into manageable parts, an organization can realize quick, visible business benefits and progressively realize overall program objectives in an orderly, measurable way. Implementing in manageable phases also makes it easier to battle issues such as scope creep or requirements drift.

  10. Standards. Follow the NIST and other applicable standards for electronic healthcare records. Adjust to form a compliance model with this emerging standard. Focus on open standards and vendors that are open standards compliant to insure long-term flexibility of computing platforms and security frameworks.

  11. Give real-time visibility. Real-time views into the functioning of controls across these systems and across the enterprise, through job-specific dashboards or portal views, can provide insight into compliance status, progress, and risks. Effective communications with all stakeholders is essential.

  12. Unify disparate compliance efforts. Many companies are beginning to realize the potential of technology to support sustained compliance and are actively looking to combine existing fragmented, reactive, and inefficient governance and compliance efforts into a single sustainable compliance program. Bringing together compliance, governance, and risk management under a holistic framework, can result in a centralized compliance organization with the understanding, structure, and ability to help optimize the company’s compliance efforts in a sustainable, strategic, and cost effective manner.

  13. Assess progress and adjust as necessary. Each phase of the progressive implementation of the compliance strategy will yield more in-depth understanding about the compliance process as it pertains to the specific enterprise. Implementing methods of continual process improvement will yield progressively refined results.

Please let me know what you think.  What have you found that really works in this IAM/Compliance Journey?

 

CIO Roundtables: Identity Management – Starts Tomorrow!

Identity
Author: Mark Dixon
Monday, November 9, 2009
6:12 pm

Tomorrow is the first of five “CIO  Roundtables” sponsored by CIO Magazine and Sun Microsystems to be held in Washington DC, New York, San Francisco, Vancouver and Toronto.  It will be a good experience to participate in each event with Michelle Dennedy, Chief Governance Officer of Cloud Computing for Sun Microsystems, and dozens of CIOs and IT management folks in what promises to be a lively and invigorating discussion of Identity Management issues facing modern enterprises and government institutions.  We will address the subject, “Identity Management – Pathway To Enterprise Agility.”

A list of locations and further information are included in a previous post.

Comments Off on CIO Roundtables: Identity Management – Starts Tomorrow! . Permalink . Trackback URL
 

The Role of IAM in HIPAA/HITECH Compliance

Identity
Author: Mark Dixon
Monday, November 9, 2009
5:48 pm

I recently authored a white paper entitled, “Identity and Access Management – Enabling HIPAA/HITECH Compliance.”  The paper is now in the final editing and formatting process.  As we awaiting the final publishing date, let me share an excerpt from the paper, focused on the key ways IAM enables HIPAA/HITECH compliance.

HIPAA/HITECH requirements for privacy, security, auditing and notification are supported directly by IAM. By streamlining the management of user identities and access rights and automating time-consuming audits and reports, IAM solutions can help support strong privacy and security policies across the enterprise and throughout Health Information Networks while reducing the overall cost of compliance.

IAM provides the following key enablers for HIPAA/HITECH compliance:

  1. Assign and control user access rights. Securely managing the assignment of user access rights is critical to HIPAA/HITECH compliance, particularly in distributed and networked environments typical of modern healthcare business. Decentralized provisioning is not only inefficient and costly, it also increases the risk of security and privacy violations. Automated provisioning allows centralized control of resources and applications that have historically existed in silos. This provides a much greater level of control over access to those resources. Checking audit policy at the time or provisioning ensures regulatory compliance, thus preventing audit policy violations.

  2. Adjust user access rights when responsibilities change. Business risk is introduced when employees change jobs and access isn’t appropriately adjusted or removed. Failing to appropriately adjust or remove users’ access when job changes occur can result in superuser-access and SOD violations. Automated provisioning effectively eliminates many of these risks, especially when combined with auditing and role management capabilities.

  3. Revoke user access upon termination. IAM systems can automate the process of immediately revoking user access rights upon termination or suspension. This eliminates a commonly-exploited security gap and opportunity for policy violation that may occur after an employee or contractor has been dismissed.

  4. Manage allocation of user credentials. Managing user names, passwords and other user access credentials is essential to assuring that only authorized users are granted access to information systems. IAM technology can provide enterprise-wide control of user credentials, including the enforcement of uniform password policies (e.g. password strength, periodic change).

  5. Enforce segregation of duties (SOD) policies. Segregation of duties (also known as separation of duties), has as its primary objective the prevention of fraud and errors. This objective is achieved by disseminating the tasks and associated privileges for a specific business process among multiple users. IAM methods can prevent, detect, and resolve access rights conflicts to reduce the likelihood that individuals can act in a fraudulent or negligent manner. Once violations are identified, notification and remediation steps are automatically initiated based on corporate policies.

  6. Provide uniform access policy. IAM can provide administration and enforcement of common user access policies across a wide span of diverse systems, improving executive confidence in how the enterprise complies with HIPAA/HITECH requirements.

  7. Manage access based on business roles. Provisioning and auditing at the business role level, rather than just at the IT access control level, ties user access rights more closely to business processes. With a role management solution, managers can approve access rights that have a meaningful business context, thus reducing the risk of managers inadvertently creating SOD violations by granting carte blanche access to their direct reports.

  8. Enforce secure access policies. While automated identity administration, provisioning and auditing are essential to HIPAA/HITECH compliance, these methods don’t actually enforce the use of security policies when a user accesses the controlled systems. IAM Access Management technology can enforce user access policy at the point of entry to an application or other system, in harmony with established policy. Examples of such enforcement include Web access management (including single sign-on or SSO), enterprise single sign-on (ESSO), and Web service security.

  9. Enforce informed consent principles. Informed consent principles (e.g. opt-in, opt-out, notice) can be enforced, based on identities of individual patients and potential users of personal information associated with such data.

  10. Extend access control to business associates. Identity Federation can extend access control beyond enterprise boundaries to enable secure access to electronic records while safeguarding the privacy of sensitive information. This is essential to complied with extended requirements of HITECH.

  11. Verify access rights. While automated user access provisioning is designed to accurately assign access rights, such access rights should be confirmed by audit. IAM can provide the ability to both assign access rights according to established polices and then periodically verify that access rights are still compliant with those same policies.

  12. Conduct periodic compliance assessments. Periodic audits of access rights and privileges can assure that security and privacy policies are consistently enforced. Re-certification is a process where managers approve direct reports’ access to enterprise resources and applications. IAM can provide the ability to automatically present managers with the correct information to attest to each employee’s access rights needs. By applying role management principles, this re-certification process can enable the approving manager to work at the business-role level, attesting to those entitlements quickly and accurately because they are given in a meaningful business context.

  13. Provide automated reports. The delivery of accurate, timely and complete reports can assess compliance with established requirements. IAM can provide scheduled and ad-hoc compliance reports, including automated violation notifications, comprehensive work flow processes, and audit assessment reports. Such reports can generated across multiple systems and enterprise applications and be submitted to appropriate people within the enterprise, to business associates and to appropriate regulatory agencies.

I’ll share more excerpts soon and let you know when the full paper is ready for download.  Please stay tuned.

 

Identity Management Trends and Predictions: Index

Identity
Author: Mark Dixon
Thursday, November 5, 2009
2:13 pm

Over the past several weeks, I have posted a series of articles about Identity Management Trends and predictions.  This brief post provides an index to that series of posts.

Overview article: Identity Management Trends and Predictions

Individual articles:

  1. Market Maturity
  2. Authentication
  3. Authorization
  4. Identity Assurance
  5. Roles and Attributes
  6. Identity Federation
  7. Regulation and Compliance
  8. Personalization and Context
  9. Identity Analytics
  10. Internet Identity
  11. Identity in the Cloud

Thanks for joining me in this little exploration.  Any feedback you might have would be most welcome.

Comments Off on Identity Management Trends and Predictions: Index . Permalink . Trackback URL
 

Identity Trend 11: Identity in the Cloud

Identity
Author: Mark Dixon
Thursday, November 5, 2009
1:52 pm

This post is the last in a series of eleven posts I have written about trends in the Identity Management industry. 

imageI am certainly not an expert in the entire field of cloud computing, but find it fascinating to learn about this significant trend in computing technology. I recently read a book entitled, “The Big Switch:  Re-wiring the World, from Edison to Google,” by Nicholas Carr, which proposed that the shift from traditional data center computing to a utility-based computing model will follow the same general trend that electricity generation followed – from a model of each individual factory maintaining its own electricity generation capability to our current utility-based electricity generation and grid delivery model.  While I agree that the general direction is correct, there are several factors which make a move to utility computing much more difficult than a move to utility electricity generation.  I’ll address some of my thoughts about those differences in a future blog post.

Nevertheless, we can see that just like Identity is a core platform technology for computing in traditional enterprise IT environments, Identity is a critical foundation for cloud computing or utility computing.  Identity may be a component of cloud computing infrastructure, or exposed as a separate set of services in the form of Identity as a Service (IDaaS).

In some ways, the challenges and solutions about Identity in the Cloud are similar to Identity in traditional data center.   However, there is increased technical and administrative/legal complexity because of the locations and increased number of physical and virtual components involved. 

A few of the areas of increased complexity include:

  • Scale and distribution: Large numbers of accounts on large numbers of servers distributed globally.
  • Division of responsibility: The different levels of cloud computing – Infrastructure as a Service, Platform as a Service and Software as a Service  – may be split between different service providers.
  • Security Policy: Logging and auditing are essential to assure that cloud providers are not circumventing or compromising security policy.
  • Risk Management: Risk profiles are different for cloud users, depending on type of company (e.g. difference between SMB and high profile public company).
  • Legal and administrative: Control of Identity is often be delegated to external parties, so more complex trust relationships must be put in place.
  • Pricing.  How will Identity Services in the cloud be priced? How can the business value of Identity Services be quantified?
  • Governance.  How will Identity governance procedures become more complex as the number of stakeholders and individual companies increases?

One example of this increased complexity was highlighted in a recent legal case, where a lawsuit filed against eBay in Pennsylvania was transferred to Santa Clara, California because of a clause in eBay’s user agreement.  As with many areas of technology advancement, I expect that legal and procedural issues associated with cloud computing will be a challenging as the technologies involved.

A number of companies are emerging with the express emphasis of Identity Management in Cloud computing.  A couple of such companies I have recently connected with are Symplified and Conformity.  I expect many more will emerge and that existing vendors of Identity Management software will release software versions specifically tailored for cloud computing.

For example, some interesting discussions about cloud computing have been held with Oracle recently.  When asked about cloud computing by Ed Zander at the Churchill Club on September 21, 2009, Larry Ellison remarked, “just a lot of water vapor – nothing new!”

On the surface, it would seem that Larry was denigrating the whole idea of cloud computer.  However, further discussions revealed that Larry thinks that cloud computing is just another label for technology that has been around for awhile.  Oracle has been offering their ERP applications in a hosted, pay-as-you-go model for a decade.  I actually worked on that initiative while employed by Oracle nearly a ten years ago.

Coincidentally, the day I heard about Larry Ellison’s comments at the Churchill Club, I learned that Nishant Kaushik of Oracle had recently given an interesting presentation entitled “Identity Services And The Cloud.”  He also gave a follow-on presentation at Oracle Open World, entitled, “Identity Management in the Cloud: Stormy Days Ahead?”  Clearly, Oracle is right in the middle of addressing the issues surrounding Identity in the Cloud.

Questions to consider:

As you consider the implications of Identity Management as it applies to cloud computing, perhaps these questions will help:

  1. How does your enterprise use cloud-based computing now?
  2. What are your plans for the future?
  3. How do you plan to leverage your existing Identity infrastructure as you adopt more cloud-based computing models?
  4. What information security challenges do you see in extending Identity and Access Management into the cloud?
  5. How will inclusion of multiple cloud computing vendors affect your privacy protection methods?
  6. How will you will you comply with internal and external audit requirements as you adopt cloud computing principles?
Comments Off on Identity Trend 11: Identity in the Cloud . Permalink . Trackback URL
 

Identity Trend 10: Internet Identity

Identity
Author: Mark Dixon
Tuesday, October 27, 2009
5:39 pm

This post is the tenth in a series of eleven posts I am writing about key trends in the Identity Management industry.

Much of the traditional Identity Management market grew up meeting needs of Identity Management for enterprises, but, of course, Identity plays a large, essential role in the external Internet as well.  Modern enterprises are increasingly interconnected using the external Internet, but usually when we speak of Internet Identity, we are discussing the relationships between individuals and online service providers, as opposed to users of internal enterprise systems.  In this context, at least two major characteristics of Internet Identity Management are substantially different than Enterprise Identity Management.

  1. Super-scale. Internet Identity systems must scale to accommodate hundreds of millions or billions of individual Identities, as opposed to hundreds of thousands in the largest enterprise Identity systems. Internet scale is enormous.  Billions of people in the world have online accounts, and most online users have several online accounts, often across multiple devices.   The administration of these enormous quantities of identity credentials is currently highly redundant, error prone and costly.  Yet demands for privacy and security impose high standards on these Identity systems.
  2. User-managed Identities.  Rather than supporting the typical “assignment” and “administration” of identity credentials in enterprise setting, Internet Identity systems typically allow users to “choose” and “manage” their own identity credentials.  Ubiquitous standard methods do not yet exist to allow a common set of Identity credentials, managed by individual users, to be used with multiple online service providers.  The current default method is for each service provider to act as its own “Identity Provider” as well as being a “Service Provider” or “Relying party” that accepts a standard credential.  For example, Google, Yahoo, Facebook and Amazon.com each operates its own Identity Provider function without allowing a user to use a common set of identity credentials across all these major service providers.  While technical standards exist to enable a common Identity Provider serving multiple relying parties, we have not yet seen broad acceptance of an Identity Provider / Relying Party Identity infrastructure.

Multiple companies such as Facebook, Google, Yahoo, PayPal and Equifax have expressed interest in becoming Identity Providers for the Internet.  Certainly they have demonstrated the ability to provide highly performant systems at Internet scale.  Some relying parties have begun to demonstrate acceptance of Identity credentials from such Identity Providers, but clear winners haven’t yet emerged.  For example, Facebook and Google both provide facilities for other online sites to accept their Identity credentials, but uptake by relying parties has been fairly limited so far.

The biggest obstacles slowing widespread acceptance seem to be:

  1. Business Model. Lack of a clear financial business model to support the separation of Identity Providers from relying parties.  It is yet unclear what financial compensation should be provided to an Identity Provider by a Relying Party.  What business model is financially sustainable? 
  2. User Control.  The desire of big service providers to maintain exclusive control over their own user base.  Online service providers recognize that huge value is inherent in a large user base, particularly when combined with usage data that can be mined to provide context and preference information as discussed in my recent blog post.
  3. Ease-of-use vs. Security. Tension that exists between the need for a secure Identity credential system and the need for extreme ease-of-use by online users.  Some methods, such as Infocard/Cardspace and OpenID, have definite ease-of-use advantages over traditional systems, but serious concerns exist about whether either system can support high levels of security or Identity Assurance.

An example of cooperative efforts to address these challenges is the US Government Open Identity Initiative, which seeks to leverage existing industry credentials for Federal use of Internet Access.  Trust frameworks from organizations such as the Kantara Initiative, OpenID Foundation, InfoCard Foundation and InCommon Federation are being considered.  Google, Yahoo, Paypal and Wave are participating in this project as Identity Providers.  While the current focus is on enabling Infocard/Cardspace and OpenID for low-security access to government websites, concern has been expressed that neither method would be sufficient for higher security needs.

Recommendations:

The following questions may be in order as you consider how your organization will address Internet Identity:

  1. How many online users do you have now?
  2. How fast are you growing?
  3. What specific security and privacy assurance levels must you provide?
  4. How could easy-to-use, yet highly secure Identity credentials help you and your users?
  5. Will you be willing to rely on a third party Identity Provider to authenticate users to your site?
  6. What control do you want to entrust to your users to manage their own Identities?
Comments Off on Identity Trend 10: Internet Identity . Permalink . Trackback URL
 

Identity Trend 9: Identity Analytics

Identity
Author: Mark Dixon
Tuesday, October 27, 2009
2:08 pm

This post is the ninth in a series of eleven posts I am writing about key trends in the Identity Management industry.

Whenever data is amassed and made available for analysis, the odds are great that someone will  figure out ways to derive new meaning from this data.  So it is with data related to personal Identity.  I believe we will see an explosion of data analytics being applied to Identity-related data for a number of applications.  Three emerging areas are briefly described in this post.

Authentication/Discovery

imageConsiderable evidence is available to show how each of us is progressively establishing a historical, logical  “fingerprint” based on our personal patterns of accessing online resources.   In a blog post entitled, “Anonymized Data Really Isn’t,” I discussed how correlating “anonymized” data with seemingly unrelated publicly available data can pinpoint personal identities with frightening accuracy. 

In his address at Digital ID World, Jeff Jonas’ discussion about using data analytics to discover space-time-travel characteristics of individuals was both challenging and disturbing.  Mobile operators are accumulating 600 billion cellphone transaction records annually and are selling this data to third parties who use advanced analytics to identify space/time/travel characteristics of individual people, to be used for authentication and focused marketing activities.

I expect we will soon see many ways data analytics will be used for both positive and negative purposes, to very accurately identify individual people and leverage that identification for authentication and personalization purposes.

Context/Purpose

imageJust like data analytics can be used to identify who we really are, these methods can be leveraged to personalize the experience online users have with each other and with online applications.  As I discussed in my Identity Trend blog post about Personalization and Context, personalization increases the value of online user experience by presenting relevant content to a specific user at a particular time and tailoring the user experience  to fit what a user is doing at that time.  Data analytics can be used to evaluate both real time and historical information to answer questions such as:

  • What are you doing now?
  • What did you do recently in a similar circumstance?
  • Will historical patterns predict your preferences?

Perhaps the best-known example of this is Amazon.com’s recommendation service illustrated in the photo above.  In this case, based on my historical purchase pattern, Amazon recommended two books to me.  Ironically, Amazon recommended I purchase Seth Godin’s book entitled “Permission Marketing, which addresses some of these very issues we are addressing in this post.  In the next few years, we will most likely see more powerful and refined recommendation engines based on complex data analytics, adapted to a wide variety of user interfaces.

Auditing

imageThe big question surrounding IT auditing is, “Who really did what, when and where?”  While many tools exist for maintain audit trails and evaluating compliance with audit policy, I believe we will see and emerging class of tools to evaluate audit trails and logs in ways not anticipated by current tools.  A few examples:

Sophisticated ad hoc analytics may make it easier to discover patterns of fraudulent access that may be missed by more structured audit tools. 

Enhanced analytics may help improve the business role discovery process by detecting obscure usage trends in log data.

Recommendations:

Some questions you may consider to explore how Identity Analytics may affect your enterprise include:

  1. What Identity data do you currently store?
  2. What related data do you store that could be correlated with Identity data?
  3. Can data analytics be used to correlate data you store with publicly-available data to provide value to your enterprise and your customers?
  4. What additional business value could accrue to your organization base on such analytics?
  5. That privacy and security threats may exist to your employees and your organization if advanced analytics are used to correlate publicly-available data with data you make available?
  6. How could data analytics related to Context and Preference be used to enhance the way users interact with your organization?
  7. How can advanced analytics help you combat fraud or other cybercrime?
  8. How can you use advanced analytics to improve corporate processes?
Comments Off on Identity Trend 9: Identity Analytics . Permalink . Trackback URL
 

Identity Trend 8: Personalization and Context

Identity
Author: Mark Dixon
Tuesday, October 27, 2009
10:51 am

This post is the eighth in a series of eleven posts I am writing about key trends in the Identity Management industry.

Much of the work I have been doing with Sun Microsystems during the past year has been focused on how to leverage Identity to enhance personalization of user experience across multiple “screens of your life.”  Project Destination, a Sun initiative which I lead, is all about enhancing online user experience through “Identity-enabled Service Orchestration and Delivery.”

Personalization increases the value of online user experience by presenting relevant content to a specific user at a particular time and tailoring the user experience  to fit what a user is doing at that time.  An effective combination of Identity and Context is essential for personalization.

Context refers to the idea that computer systems and networks can both sense and react based on their environment. For example, devices may have information about the circumstances under which they are able to operate and based on rules, or an intelligent stimulus, react accordingly.  Context is not simply a state, but part of a process in which users are intimately involved and user interfaces are adapted in real time to accommodate changes in user or system context. For example, a context aware mobile phone may know that it is currently in the meeting room, and that the user has sat down. The phone may conclude that the user is currently in a meeting and reject any unimportant calls. Context-aware systems are concerned with the acquisition of context, the abstraction and understanding of context, and application behavior based on the recognized context. Context awareness is regarded as an enabling technology for ubiquitous computing systems.  The Wikipedia article, “Context Awareness,” provides more details and valuable links to material on the subject.

The emergence of Context as a key component of personalization will likely accelerate as service providers seek to answer demand for the delivery of identity-enabled, highly personalized, blended services to subscribers of modern networks.

imageCombining a third element, “Preference,” will enable further personalization.  In a blog post entitled, “Identity, Context, Preference and Persona,” I proposed that the concept of persona is best understood as the intersection of three elements: 

  • Identity = who I am
  • Context = what I am doing
  • Preference = what I want
  • Persona is not just a partial projection of one’s identity.  It must take into account the context in which a person exists at the moment, and the preferences the person makes relative to that particular situation. Personalization of a product or service must be synchronized with the persona of a person at any relevant point in time – his or her current persona.

    I expect that two key context-enabled concepts will continue to gain more focus in the near future:

    1. Selective Personae refers to the ability of a person to choose which persona he or she desires to use in a particular context to enable certain types of online experiences.  For example,  online systems (such as BigDialog, a project directed by eCitizen Foundation and Massachusetts Institute of Technology) are emerging to enable citizens to interact more effectively with government officials.  In such a case, a context-driven, selective persona system may validate that a user is indeed a citizen, but allow the user to specify how much personal information (e.g. age, marital status, race) he or she wishes to expose for a particular conversation.
    2. Purpose-driven Web refers to providing a context-driven online experience focused on what a person is doing or wants to do at a particular time, not just what sites the person may be visiting on line.  For example, at the recent DIDW conference, Phil Windley, founder of  of Kynetx proposed to enable contextualized, purpose-based user experiences using the web browser as a point of integration.

    Recommendations:

    Consider questions such as these to determine how your organization can leverage Context to enhance user experience:

    1. How can a more personalized user experience strengthen the relationship between my customers and my organization?
    2. What new business opportunities can we leverage if we can deliver better user experience to our users?
    3. In what different contexts (e.g. in-store, via web browser, with mobile phone, via TV, at home, at work, during travel) do my user interact with my organization?
    4. How can we augment Identity information we have about users with contextual information to further personalize user experience?
    5. How can information I have collected about user interactions with my organization be leveraged to further personalize a user experience?
    6. What privacy and security regulations limit how we can leverage user information?
    7. Can we effectively leverage user opt-in or opt-out techniques to meet individual user preferences?
    8. How can we leverage new context-driven concepts such as Selective Personae or Purpose-driven Web to personalize the user experience for our customers?
    Comments Off on Identity Trend 8: Personalization and Context . Permalink . Trackback URL
     
    Copyright © 2005-2016, Mark G. Dixon. All Rights Reserved.
    Powered by WordPress.