Do you have a secret Identity, an alter-ego, a second (or third) personality manifesting itself secretively in cyberspace?  If so, you must be a superhero, according to Ziggy (aka Zigmeister), our ever-erudite philosopher.
On December 10, 2009, I posted a short piece on this blog about Trufina, a company providing online identity verification services. Â For a long time, I had a visible Trufina badge on the blog, so someone could click on it to verify that I was, indeed, the very Mark Dixon I claimed to be. Â Since no one expressed interest, I took the badge off my main page.
Just this week, over 18 months later, one person actually clicked on the link in my December 2009 post and requested verification of my identity – not so much that he was interested in my identity as he was in the process of validating online identities.
I have concluded that this dearth of activity must have something to do with the following:
By the way, I have never received a single request from someone via Tru.ly, the similar service whose badge I now display on the right most column of this blog. But I must be patient. Â I just signed up for Tru.ly in March, 2011. Â I have 14 more months before I can really compare the popularity of Tru.ly and Trufina.
Last week, I attended a week-long training session focused on Oracle’s new directory services product, Oracle Unified Directory. Â A direct descendant of the Sun Microsystems OpenDS project, OUD is the next-generation Java-based directory product we have been anxiously anticipating for a long time. Â This webinar is the first public unveiling of this exciting new product.
I had an interesting Twitter conversation recently with @steve_lockstep and @NishantK about Identity Assurance.  It began with Steve’s comment about how Facebook identities were of little worth, unfit to use with valuable transactions.  Nishant suggested that most Relying Parties (RP’s) are content with “soft” identities that have to with personal likes and interests, while significantly fewer RP’s rely on “hard” identities.
Nishant’s observation about “hard” and “soft” identities made me think of the Mohs Mineral Hardness Scale, which assigns an “absolute” hardness value to different minerals. Â Wikipedia’s article uses the following table to illustrate this concept:
Perhaps we could suggest a corresponding mineral and hardness value to each of NIST’s standard four Levels of Assurance (LOA) shown in the following table.
Steve stated on Twitter that “I’m preoccupied with hard identity: doctors, lawyers, bank accts, patients”: scenarios where Facebook just doesn’t work. We could say that Steve is dealing in diamonds (level 4), but Facebook only offers talc (level 1).  Having a tangible example helps illustrate the somewhat ethereal LOA concept.  And over time, perhaps we can come up with a more definitive way to measure just how hard a particular Identity Assurance process really is.
As a parting thought: I have suggested minerals match NIST Assurance Levels 1 and 4. Â What would you suggest for the other two?
On June 14th, the PCI Security Standards Council announced publication of the PCI DSS Virtualization Guidelines Information Supplement, which “provides guidance to those in the payment chain on the use of virtualization technology in cardholder data environments in accordance with PCI DSS.”
The introductory section in this document outlines four principles associated with the use of virtualization in cardholder data environments:
- If virtualization technologies are used in a cardholder data environment, PCI DSS requirements apply to those virtualization technologies.
- Virtualization technology introduces new risks that may not be relevant to other technologies, and that must be assessed when adopting virtualization in cardholder data environments.
- Implementations of virtual technologies can vary greatly, and entities will need to perform a thorough discovery to identify and document the unique characteristics of their particular virtualized implementation, including all interactions with payment transaction processes and payment card data.
- There is no one-size-fits-all method or solution to configure virtualized environments to meet PCI DSS requirements. Specific controls and procedures will vary for each environment, according to how virtualization is used and implemented.
After giving an overview of virtualization, the report sets forth a detailed review of risks inherent in a virtualized environment and specific recommendations about how to deal with those risks.
The document’s appendix describes in detail how each of the 12 broad PCI security controls that are mandated for logical environments need to be applied in a virtual setting.
I have long thought the PCI DSS specification to be a good example of how an industry regulates itself. Â The Virtualization Guidelines document shows once again how the payments industry is in step with recent trends in Information Technology.
The National Institute of Standards and Technology (NIST) has released its 2010 Computer Security Division Annual Report. Donna Dodson, Chief, Computer Security Division & Deputy Chief Cybersecurity Advisor offers the following in her welcome statement:
The Computer Security Division (CSD), a component of NIST’s Information Technology Laboratory (ITL), conducts research, development and outreach necessary to provide standards and guidelines,  tools, metrics and practices to protect our nations information and  communication infrastructure.
In fiscal year (FY) 2010, CSD continued to build on its work in security management and assurance, cryptography and systems security, identity management and emerging security technologies.  CSD played a vital role in both national and international security  standard setting.  The division continues its leadership role in technologies and standards for Cloud Computing, Identity Management and as a Government Wide Leader and national coordinator  for the National Initiative for Cybersecurity Education (NICE).  In addition, this year marked the publication of NIST Interagency Report  (NISTIR) 7628,  Guidelines for Smart Grid Security, which identifies  security requirements applicable to the Smart Grid, security-relevant use cases, logical interface diagrams and interface categories,  vulnerability classes abstracted from other relevant cyber security  documents, specific issues applicable to the Smart Grid, and privacy concerns. We also continued to provide reference specifications  in multiple areas, allowing others to leverage our work to increase  the security of their systems and products.
…
Looking forward to FY2011, CSD plans to continue its work in information security, producing standards, guidelines, technical reference materials and specifications to improve the information security management of systems across the Nation and around the  world.
By the way, this report has the coolest front cover of any government report in recent history.  The image shown above is but a small excerpt.  Not that this has anything to do with the contents of the report or anything …
An interactive “Provider Guide” provided by JanRain shows what personal profile data maintained by popular social networks is available to applications that connect to these networks. Â It is not surprising that Facebook offers the most information; LinkedIn is second in terms of available profile attributes.
With these many attributes about subscriber identities available through published API’s, it isn’t surprising how the stock market placed a huge premium on LinkedIn, and will presumable do the same with Facebook. Â Perhaps the most valuable attributes are the connections to other people – friends on Facebook, contacts on LinkedIn. Â The Network Effect arising from the interconnectivity of all those online members triggers extreme value momentum, particularly when all those relationships can be exposed to third parties.
I was intrigued by a headline I read this morning, “How Facebook Can Put Google Out of Business,” by Ben Elowitz (@elowitz), co-founder and CEO of Wetpaint.
Elowitz started by stating his admiration for Google:
I used to envy Google and the vast digital empire that Schmidt commanded. Â Google had one of the most intricate monopolies of all time. It had the most impressive dataset the world had ever seen; the most sophisticated algorithm to make sense of it; an audience of a billion users expressing their interest; and more than a million advertisers bidding furiously to reach those consumers at just the right moment.
What’s more, it had captured the ultimate prize: increasing returns to scale. Only Google could spread such huge R&D costs among an even more humongous query volume, all while offering advertisers the chance to reach most of the population with one buy. Google had earned its success.
However, he as concluded that Facebook offers more inherent value than Google, and can beat Google at its own game:
While Google has amassed an incredible database consisting of the fossilized linkages between most Web pages on the planet, Facebook possesses an asset that’s far more valuable—the realtime linkages between real people and the Web.What does this mean, and what are the implications here?
Well, in a nutshell, Facebook has stored a treasure trove of distinctive data that, if fully utilized, could put Google out of business.
I’m not astute enough to predict whether Facebook or Google will win, but I believe Elowitz has identified an important distinction between the inherent value of linkages:
“linkages between real people and the Web” [and, I might add, linkages between real people] – Â primary Facebook value
or
“linkages between Web pages” – primary Google value
We call linkages between people “relationships”. In my previous post, each line on my LinkedIn connection map represents a real life relationship. Some of my Linkedin relationships are closer in real life than others, just like some of my Facebook “friendships” are closer than others. Â But they are real. Â They do exist.
My real-life relationships represented by Facebook or LinkedIn have inherent value to me. Â Both Facebook and LinkedIn provide real value to me through the services they provide.
Google has proven that there is great business value in “linkages between web pages”. Â I believe companies like Facebook and LinkedIn are beginning to how to business value can be derived from “linkages between people”. Â Google is clearly trying to catch up in the relationships business, where Eric Schmidt admits they have failed.
It will be interesting to see how they, and other companies of their ilk, will continue to succeed for fail in business as they leverage (in a positive sense) their understanding of my relationships, hopefully without exploiting (in a negative sense), the private information I entrust to them.
The interesting diagram included below is a visualization of my LinkedIn network. Â It represents the 1,220 contacts I have connected to via LinkedIn, since I joined as the 8,638th member of LinkedIn way back in 2003 or 2004.
The blue cluster in the upper right contains primarily contacts from the Arizona business community. Â The small cluster in the lower right corner contains contacts from Eyring Research Institute, the company where I spend the first dozen years of my career. Â The big, multi-colored cluster to the left grew from my interaction with Sun Identity Management and Telecommunications groups, with many people transitioning with me to Oracle or other companies, plus folks I have added since the Sun Acquisition.
You can get your own map at InMaps, from LinkedIn Labs.
I discovered an interesting white paper this morning, entitled, “Personal Data: The Emergence of a New Asset Class,” published by the World Economic Forum. The introductory page describes the issue:
This personal data – digital data created by and about people – is generating a new wave of opportunity for economic and societal value creation. The types, quantity and value of personal data being collected are vast: our profiles and demographic data from bank accounts to medical records to employment data. Our Web searches and sites visited, including our likes and dislikes and purchase histories. Our tweets, texts, emails, phone calls, photos and videos as well as the coordinates of our real-world locations. The list continues to grow. Firms collect and use this data to support individualised service-delivery business models that can be monetised. Governments employ personal data to provide critical public services more efficiently and effectively. Researchers accelerate the development of new drugs and treatment protocols. End users benefit from free, personalised consumer experiences such as Internet search, social networking or buying recommendations.
And that is just the beginning. Increasing the control that individuals have over the manner in which their personal data is collected, managed and shared will spur a host of new services and applications. As some put it, personal data will be the new “oil†– a valuable resource of the 21st century. It will emerge as a new asset class touching all aspects of society.
The report uses a definition of personal data provided by the World Economic Forum in June 2010:
Personal data is defined as data (and metadata) created by and about people, encompassing:
- Volunteered data – created and explicitly shared by individuals, e.g., social network profiles.
- Observed data – captured by recording the actions of individuals, e.g., location data when using cell phones.
- Inferred data – data about individuals based on analysis of volunteered or observed information, e.g., credit scores.
The report concludes:
Personal data will continue to increase dramatically in both quantity and diversity, and has the potential to unlock significant economic and societal value for end users, private firms and public organisations alike.
The business, technology and policy trends shaping the nascent personal ecosystem are complex, interrelated and constantly changing. Yet a future ecosystem that both maximises economic and societal value – and spreads its wealth across all stakeholders – is not only desirable but distinctly possible. To achieve that promise, industries and public bodies must take coordinated actions today.
Five major recommendations are explored in depth:
As both an owner of personal data and as an Identity and Access Management practitioner, I find this subject compelling and timely. Â The white paper is certainly worth the read.