[Log In] []

Exploring the science and magic of Identity and Access Management
Saturday, May 25, 2024

test post

Author: Mark Dixon
Tuesday, August 18, 2020
11:28 am

test post

Comments Off on test post . Permalink . Trackback URL

Cisco 2018 Annual Cybersecurity Report

Author: Mark Dixon
Wednesday, June 13, 2018
3:24 pm


Today’s light eading – the Cisco 2018 Security Capabilities Benchmark Study   This report, which “offers insights on security practices from more than 3600 respondents across 26 countries” shows that “defenders have a lot of challenges to overcome.”

The report introduction states,

Adversaries and nation-state actors already have the expertise and tools necessary to take down critical infrastructure and systems and cripple entire regions. But when news surfaces about disruptive and destructive cyber attacks—such as those in Ukraine, for example, or elsewhere in the world—some security professionals might initially think, “Our company’s market/region/technology environment wasn’t a target, so, we’re probably not at risk.”

However, by dismissing what seem like distant campaigns, or allowing the chaos of daily skirmishes with attackers to consume their attention, defenders fail to recognize the speed and scale at which adversaries are amassing and refining their cyber weaponry.

I love that imagery: “chaos of daily skirmishes with attackers to consume their attention.” Sounds like cybersecurity Whac-a-Mole.

So what is a company to do?  The report offers hope:

… defenders will find that making strategic security improvements and adhering to common best practices can reduce exposure to emerging risks, slow attackers’ progress, and provide more visibility into the threat landscape.

The 68 page report provides extensive analysis of the problems confronting us and numerous recommendations to address the complex security issue.  I like page 53, which states:

Faced with potential losses and adverse impact on systems, organizations need to move beyond relying solely on technology for defense.

Cisco research found that only 26% of security issues “can be addressed by technology alone”, while 74% “might also require people and/or policies to address.”

It is a complex world out there. We must think strategically, not just tactically killing each threat as it rears its head.

Comments Off on Cisco 2018 Annual Cybersecurity Report . Permalink . Trackback URL

Pay with My Identity via Apple Watch

Author: Mark Dixon
Friday, August 18, 2017
4:07 pm


I am reading a fascinating book, “Identity is the New Money,” by David Birch. The book was published three years ago, but I find it extremely relevant today.

I just read this paragraph:

Identity becomes the key to transactions and a crucial individual resource that needs to be looked after by responsible organizations.  We all need to start planning for the transition to identity based transactions.

This triggered a thought – isn’t paying for something or enabling some action via my Apple watch a good example of an identity-based transaction of the type Mr. Birch speaks?  It kind of amazes me that paying via phone or watch is still something of a novelty in many circles.  But for me, I am always on the lookout for somebody that accepts that sort of identity-based transaction.

Here is a list of some of the places where I have recently paid with my Identity via Apple Watch:

  • Walgreens (An early adopter – the very first place I used Apple Pay)
  • Trader Joe’s
  • Whole Grain Bread
  • A&P Nursery (the tree and plant kind of nursery)
  • Church cafeteria
  • Taxi
  • Airport news/convenience store
  • Gas station / convenience store
I also nearly always use my watch to present my boarding pass as I go through airport security and board a flight.  Isn’t that also “paying” with my identity?

It is interesting how often the point of sale clerk will comment on the “high tech” or “newfangled” way I pay. Several times, they have said I was the first person they had seen pay with a watch.

I am really disappointed that the major retailers I often visit – Home Depot, Lowes, Walmart, Sam’s Club, Fry’s (Kroger), etc., haven’t jumped on the bandwagon.

I just find it so incredibly easy to pay with my watch – to pay with my identity.  I just wish the pace of adoption would accelerate!

Comments Off on Pay with My Identity via Apple Watch . Permalink . Trackback URL

Banks as Identity Service Providers?

Author: Mark Dixon
Wednesday, August 2, 2017
4:53 pm


Yesterday, I blogged about the inherent conflicts of interest that exist with most current or potential Identity Providers.  Is it just coincidence that today I would read a post on LinkedIn by Gary Rowe, CEO/Principal Consulting Analyst at TechVision Research, highlighting the TechVision Research report, “Banking on Identity?”

The report offers a compelling case: “The opportunities for banks to become identity service providers.” I was impressed when I read the downloaded report.  Here are a few excerpts:

Identity data in all its forms is going to power the global economy of the future and will become increasingly highly prized and sought after. Services that help manage the safekeeping and distribution of identity data could dominate that future.

This is certainly in harmony with the statements in my recent blog, “The Future of Digital Identity,” in which I quoted David Birch  author of “Identity is the new Money.”

For banks to proactively create a new set of identity services would not be that far removed from what they are required to provide today to comply with KYC (know your customer) and other regulations, both in Europe and the rest of the world. It would also offer a welcome opportunity to strengthen customer relationships and encourage customer loyalty at a time when other aspects of the banking business are being disrupted.

Yes, Identity is about relationships, and banks do seek to strengthen relationships with their customers. I place trust in the banks with which I do business.  Can I also trust them to safeguard my identity information, the “new money” of the global economy?

From a consumer perspective, the major initial attraction [in banks as identity service providers] will be convenience. Not having to repeatedly undergo the tiresome process of producing hard copy documentation verifying identity, as well as proof of residence, will be very attractive and remove an irritating barrier to getting business started as quickly as possible. Being able to use the trusted services of a bank will, in the majority of cases, likely be far more attractive than using the services of a social media or any other company.

As a consumer, I would definitely prefer my bank as identity provider over Facebook or Twitter!

For the banks, the principal advantage of becoming identity providers is about cost mitigation. Banks are already spending large amounts on KYC and other identity-related issues. Any opportunity to begin to monetize that sunk cost would provide a welcome additional income stream.

The report lays out a compelling case for benefits to banks in providing identity services.  The new ability to “monetize that sunk cost” is a benefit I hadn’t considered before.

Until recently the requirement for a customer-centric identity service was the stuff of long-term visions, and the idea that a bank would provide such a service would have been considered outlandish. But the demands of today’s heavy dependence on the Internet for every aspect of daily life has made the absence of safe, secure and reliable personal credentials one of the barriers to the growth of the digital economy.

I admit that I was one with long term dreams, if not visions, of a good identity service provider.  BofA, Chase, Wells Fargo — which of you will have the vision and courage to make it happen?




Comments Off on Banks as Identity Service Providers? . Permalink . Trackback URL

Identity Providers – Conflict of Interest

Author: Mark Dixon
Tuesday, August 1, 2017
4:05 pm


After uploading yesterday’s blog post, I realized that I had again made a statement about a problematic “conflict of interest” inherent in many Identity providers.

What do I mean by that?

For many years, I have dreamed of the concept of a broadly used Identity Provider enabling each of us to leverage one set of identity credentials to reach service providers, with personal control over which bits of our personal information would be shared with each service provider.  

I just checked way back on my blog to find a few examples of my early yearnings:

Well, now we are in 2017.  The technology is widely available to make that happen. Can’t we just use Facebook, Google, Twitter or Amazon? Well yes, sort of. However, I propose that the biggest problem with any of these organizations really filling the role of a universal identity provider is that they all have massive conflicts of interest.

Facebook, Google and Twitter really just want to sell my eyeballs and mouse clicks to the highest bidder in an advertising war.  Amazon just wants to sell me stuff. 

Why would any of these companies ever really want to allow me to use the relationship I have developed with them to establish a relationship with a competitor?  Only if it is calculated to benefit their their interests, to be sure.

Such conflicts of interest are grounds for employee termination in many companies (or should be), yet it happens all the time on the Internet.  I suppose that only when truly independent identity providers like Sovrin are widely adopted will we escape these conflicts of interest. 

Comments Off on Identity Providers – Conflict of Interest . Permalink . Trackback URL
WordPress Tags:

The Future of Digital Identity

Author: Mark Dixon
Monday, July 31, 2017
4:59 pm


Following a blog post recommendation by Emma Firth, Communications Director of Digi.me, I just read an insightful article, “Transforming the Digital Identity Landscape,” in the June 2017 issue of Leo, an e-magazine published by Luxembourg for Finance.

It was particularly interesting to read the viewpoints of four Digital Identity thought leaders who spoke at the Fintech Stage Luxemourg conference:

A few excerpts:

David Birch, Director of Research at Consult Hyperion and author of “Identity is the new Money.”

To me, digital identity is the bridge between the world of virtual identities that only exist on-line and the things that exist in the real world.

You can think of the problem as being that there are two sides to that bridge: we need to connect the bridge to the real world, and that´s complicated and time-consuming and expensive. Nobody wants to have to manage personal data. Especially because you have new data protection laws coming, and the costs of having to manage this ‘toxic waste’ and deal with it when it is tangential to your business are not what you want to do.

Connecting the bridge to the virtual world, in contrast, is easy. We should have many virtual identities, one for each of our online relationships.

I like the concepts of Identity being a bridge (or set of bridges) between the virtual world of online identities and reality.

His comment about the difficulty of managing the “toxic” waste of personal data which is only tangential to real business is particularly relevant in the GDPR countdown to May 25, 2018.

Julian Ranger, Chairman and Founder of digi.me

We have always been multi-dimensional. The question is, are our financial services able to support that multi-dimensionality and work for me across all of those dimensions?”

If you consider identity not to be just identification of data, but all the things that I do, then it’s a holistic through-life process, and you should be using digital identity by engaging directly with me and looking at me across all aspects of my life.

I liked how Mr. Ranger described Digital Identity as a “holistic through-life process,” challenging financial services companies to embrace the inherent multi-dimensional reality of the customers they serve.

David Brear, Founder and CEO of 11:FS, a FinTech consultancy

When you look at digital identity there is no de facto listing globally. 

This is so critical to identity that if you don’t trust the system that the identities are being captured and contained within, it makes it tough for that system to be very useful within the realms of what you are trying to do. This is why people have started to look at irrefutable databases. Things like distributive ledgers and blockchain-like identity schemes are very interesting for this.

Yes, Digital Identity begs for a global “irrefutable database,” perhaps using “distributive ledgers and blockchain-like identity schemes.”  I believe this type of mechanism is essential to really solve the current conflict of interest nature of Identity providers.

Sam Maule, Director, Director, Senior Practice Lead, Digital & FInTech at NTT DATA Americas

I believe we overuse and overhype the term blockchain. I believe that distributive ledger technology does serve as an excellent tool, but in the future, we are going to have components of Artificial Intelligence that we haven’t looked at before, with which we will be able to fine-tune this concept of digital identity.

Startups and FinTech can streamline and simplify the process around identity, and I believe the banks themselves can secure it and make sure it’s compliant, and the two work hand in hand together.

I agree that “blockchain” is an overhyped term, but it is interesting that Mr. Maule turned to another over-hyped term, “Artificial Intelligence,” in the quest to fine tune and simplify the problems of Digital Identity.  I expect that we will see a number of technologies converge to meet the global requirements of Digital Identity.

In all, fascinating concepts:

  • Digital identity is the “bridge” between our many online virtual identities and our real-world selves.
  • Digital Identity must be a “holistic through-life process,” accommodating the inherent multi-dimensional aspect of our lives.
  • Technologies like blockchain and distributed ledgers will be essential to enable global, irrefutable databases for Digital Identity.
  • Blockchain alone won’t solve all the problems.  Leveraging other emerging technologies such as artificial intelligence will be essential to meet real world Digital Identity demands.

I love these discussions about Identity.  We have a great future ahead.

Comments Off on The Future of Digital Identity . Permalink . Trackback URL

Identity – Critical for GDPR?

Identity, Privacy
Author: Mark Dixon
Friday, July 28, 2017
12:44 pm


How critical is Identity and Access Management to GDPR Compliance?

The somewhat radical, but underlying philosophy of GDPR is that enterprises must enable individual data subjects (EU citizens) to control their own Personally Identifiable Information (PII), and grant or withdraw permission to store and use such data. Certainly, appropriate processes and technology are essential to protect the data “by design and default,” but the question remains – how can enterprises keep track of all the data subjects and their PII data?

I propose that Identity is at the heart of the matter.  How can an enterprise:

  1. Know who all data subjects are and what personal data is being maintained?
  2. Know what rights of data use each data subject has granted? 
  3. Know PII data elements are being maintained and processed for each data subject?
  4. Enable data subjects to edit (rectify) any of the data elements being maintained?
  5. Allow each data subject to grant or withdraw consent?
  6. Securely authenticate and authorize data subjects when they desire access to their PII?
  7. Guarantee that only people with legitimate need-to-know can access PII?
  8. Enable data subjects to request erasure?
  9. Audit and certify processes for consent, use and erasure?
  10. Notify data subjects of any breaches?

There are probably more reasons, but this list is a start. In my opinion, Identity at the heart of effective GDPR compliance.

By the way, as of today, there are only 300 days left.

Comments Off on Identity – Critical for GDPR? . Permalink . Trackback URL
WordPress Tags:

Cyber Attackers – Virtual Scorpions?

Author: Mark Dixon
Wednesday, July 26, 2017
11:16 am

This morning I read a short article stating, “Arizona businesses lead the nation in malware detections.” Wouldn’t you know — Arizona leads the nation — but not in some fun way like an NBA Championship.

I immediately thought of another dubious distinction for our state – the Arizona bark scorpion is the most venomous scorpion in North America.

I propose that we begin to think of cyber attackers as “Virtual Scorpions”- sneaky, scary, venomous and treacherous.

If only we could deal with cyber attackers like our grandkids detect and obliterate scorpions in Arizona –  armed with ultraviolet lights and a blowtorch.

Enjoy the show.

Comments Off on Cyber Attackers – Virtual Scorpions? . Permalink . Trackback URL

Passwords and Buggy Whips, Revisited

Identity, Information Security
Author: Mark Dixon
Tuesday, May 9, 2017
10:02 am


StrongPassword large

Eight years ago this month, I posted a short article on this blog entitled, Passwords and Buggy Whips.

Quoting Dave Kearns, the self proclaimed Grandfather of Identity Management:

Username/password as sole authentication method needs to go away, and go away now. Especially for the enterprise but, really, for everyone. As more and more of our personal data, private data, and economically valuable data moves out into “the cloud” it becomes absolutely necessary to provide stronger methods of identification. The sooner, the better.

I commented:

Perhaps this won’t get solved until I can hold my finger on a sensor that reads my DNA signature with 100% accuracy and requires that my finger still be alive and attached to my body.  We’ll see …

So here we are.  Eight years have come and gone, and we still use buggy whips (aka passwords) as the primary method of online authentication.

Interesting standards like FIDO have been proposed, but are still not widely used.

I was a beta tester for UnifyID‘s solution, which used my phone and my online behavior as multiple factors.  I really liked their solution until my employer stopped supporting the Google Chrome browser in favor of Firefox. Alas, UnifyID doesn’t support Firefox!

We continue to live in a world that urgently needs to be as rid of passwords as we are of buggy whips, but I don’t see a good solution coming any time soon.  Maybe in another eight years?



Comments Off on Passwords and Buggy Whips, Revisited . Permalink . Trackback URL
WordPress Tags:

Blockchain – Enabling the Fourth Phase of Identity?

Author: Mark Dixon
Friday, May 5, 2017
10:49 am


The most intriguing work in the Identity world today is the potential application of Blockchain/Distributed Ledger technology for user-focused Identity Management.

I am certainly not a blockchain expert, but I believe these concepts have the potential to solve several nagging problems that have been facing us for many years, including:

  1. Individual users can confidently leverage their own identities across multiples organizations, including employers, government agencies, online vendors, etc.
  2. Multiple organizations across public and private sectors could rely on digital identities just as confidently as these organizations currently relay on identification documents such as passports, drivers licenses, etc.
  3. The huge proliferation of multiple identity relationships that must be set up for individual users to access and use online resources could be drastically reduced.
  4. The overall digital infrastructure for managing identities could be significantly simplified. 
  5. The ability to secure digital identities could be significantly improved in an increasingly hostile online world.

We certainly aren’t there yet, but I am encouraged by work being done.  Some of the recent articles I have read on the subject include:

BlockChain TechnologiesThat Go Beyond Bitcoin.  Item 3 of 6 is “Digital Identity.”  

Blockchain technologies make tracking and managing digital identities both secure and efficient, resulting in seamless sign-on and reduced fraud.

The Path to Self-Sovereign Identity, blog post by Christopher Allen: 

I want to share a vision for how we can enhance the ability of digital identity to enable trust while preserving individual privacy. This vision is what I call “Self-Sovereign Identity”.

Christopher outlines four broad stages since the advent of the Internet:

  1. Centralized identity
  2. Federated identity
  3. User-centric identity
  4. Self-sovereign identity.

He then proposes “Ten Principles of Self-Sovereign Identity” that appear to provide a foundation upon which to construct standards and systems to build a real “Fourth Phase” identity system:

  1. Existence. Users must have an independent existence. 
  2. Control. Users must control their identities.
  3. Access. Users must have access to their own data.
  4. Transparency. Systems and algorithms must be transparent. 
  5. Persistence. Identities must be long-lived.
  6. Portability. Information and services about identity must be transportable.
  7. Interoperability. Identities should be as widely usable as possible.
  8. Consent. Users must agree to the use of their identity.
  9. Minimalization. Disclosure of claims must be minimized. 
  10. Protection. The rights of users must be protected.

The following two articles appear to draw heavily from the concepts presented by Christopher Allen.

The Journey to a Self-Sovereign Digital Identity Built on a Blockchain.  According to IBM’s Jai Singh Arun, 

Permissioned blockchain technology provides core capabilities that enable a trusted digital identity network to build and operate.

I agree that blockchain technology is essential to achieving the goals outlined by Christoper Allen.

A Self-Sovereign Identity Architecture. (PDF file) A topic paper from the ID2020 Design Workshop:

to identify what a self-sovereign architecture would look like for the Web as well as a number of technical requirements of such an architecture. This topic paper outlines that proposed architecture and its primary components and actors.

It is good to see that smart people are working together to explore how to transform these foundation principles into reality.

IEEE launches standards program focused on blockchain and identity. 

Technical organization and standards leader, IEEE, is launching a new program to create standards around consumer and patient data protection, specifically as it relates to blockchain and identity. Called, Digital Inclusion through Trust and Agency, the initiative will bring together technology innovators, policy experts and academic researchers to address the topic.

Standards will be necessary to make blockchain – based identity systems pervasive in the world.

Blockchain-based Identity meets the Sovrin Foundation. According to Phil Windley, Chair of the non-profit Sovrin Foundation:

Sovrin is building a scalable, privacy-protected, auditable (based on time-stamped data written to the distributed ledger) ecosytem empowering individuals to manage their identities, support granular selective disclosure and provide organizations with trusted connections to individuals. 

I am impressed with the work the Sovrin Foundation is doing.  The fact that an independent, non-profit organization has been established to be the independent overseer of a blockchain-based identity service seems to provide a solution to the inevitable conflicts of interest that exist if organizations like banks, credit bureaus, credit card issuers or the government provide identity services.

I am working to better understand the concepts and challenges in this exciting area.  It is going to be a fun ride.





Comments Off on Blockchain – Enabling the Fourth Phase of Identity? . Permalink . Trackback URL
WordPress Tags: ,
Copyright © 2005-2016, Mark G. Dixon. All Rights Reserved.
Powered by WordPress.