Michael Barrett, Andy Steingruebl, Bill Smith of Paypal have collaborated on an excellent white paper entitled, “Combating Cybercrime – Principles, Policies, and Program.”  I highly recommend it to you.

Rather than attempt an analysis at this time, please let me share a segment of an introductory paragraph …

What is possible, and perhaps even likely should current trends continue, is the perception by Internet users that the Internet is unsafe and therefore unsuitable for everyday use. Should this perception become widespread, crowd psychology could take hold and as with the recent world financial crisis, result in a loss of faith in “the system”. Certainly there were very tangible and real issues behind the financial crisis, but the long-lasting impact has proven to be the perceptual shift resulting in the Great Recession.

… and a portion of their conclusion:

The authors believe that cybercrime, and other cyber issues are the one area that could cause this type of loss of faith in the safety of the Internet In this white paper, the authors lay out an entire framework of practical actions that could be taken to reduce the impact of cybercrime, and substantially make the Internet safer. Even if only some of these recommendations are implemented, it will make a significant improvement in Internet safety. While we’re hesitant to name any of these initiatives as being more important than any other, we are occasionally asked “list the three things you want us to do”. In general, we list:

• Increase investment in cybercrime law enforcement.
• Start the Internet NTSB.
• Fix the Cybercrime Convention.

Just doing those three things would make a big difference, albeit it would be – to paraphrase the punchline of many a joke – merely “a good start”. We expect this paper to be a first step in a multi-stakeholder and iterative process and approach to making substantial progress against cybercrime. We welcome feedback on our proposals.

In between these bookends lies a thought-provoking analysis of the basic problems, the challenges and roadblocks that complicate potential solutions, and a decisive call to action to bring about a coordinated ecosystem change.  The authors propose ten underlying principles and a series of specific recommendations, ranging from international law enforcement to forcing unsafe devices off the Internet.

I believe this document will help foster and accelerate interactions among the appropriate business, government and user communities to make signifiant progress.  We all have a stake in this.  This document will help us understand the issues and get involved.

Craig Burton, who recently joined Kuppinger Cole, authored an insightful article, “Bringing the Web to Life at Last,” addressing two compelling topics: “The Live Web” and the “Internet of Things“.  His final statement provides an apt summary:

We don’t need a Facebook of Things. We need an Internet of Things. We need the Live Web.

Craig outlines the basis concepts of the Live Web:

The term Live Web was first coined by Doc Searls and his son Allen Searls to describe a Web where timeliness and context matter as much as relevance. It blossoms with the following three assumptions:

• All things are connected to the Internet.
• All things are recorded and tagged.
• All things can be recalled and accessed in context.

The Live Web is made up of three core principles that give rise to generating context:

• First principle: Ubiquitous programmable data access. (APIs)
• Second principle: Ubiquitous event-based endpoints.
• Third principle: Ubiquitous event-based evaluation and execution machines.

Note that the three principles match the three assumptions.

Craig explains how, even if all devices are connected to the Internet (the Internet of Things), the current web paradigm, as wonderful as it is, would not work well, because the current web operates as a tightly-coupled manner, like Facebook:

The problem with the idea of a big “Facebook of Things” kind of site is the tight coupling that it implies a person would have to take charge of all the devices. You would have to “friend” each one. And remember, these are devices, so not only do you have to connect and “friend” them but you will be doing the work of managing them.

…

This just isn’t going to happen. Ever.

However, applying Live Web principles and loosely coupling the device will enable the Internet of Things to work:

Each device can interpret that message however it sees fit or ignore it altogether. This significantly reduces the complexity of the overall system because individual devices are loosely coupled.

It will be fun to see the progressive realization of these concepts: all devices connected to the Internet and coupled in a loose sort of way that makes possible all kinds of interesting applications.  I just  wonder how long will it be before I can sit here at my desk and command my Live Web connected kitchen to cook me up a nice omelette for breakfast?

We in the IAM world do a fairly good job of addressing “User Lifecycle Management” and “Role Lifecycle Management” issues, but are generally abysmal in other areas that beg to be governed by full-functioned, easy to use, lifecycle management principles.

What are lifecycle management principles?  I propose that the following apply:

1. Application of standard, repeatable, and easy-to-use methods for creating, configuring, changing, approving, invoking and terminating objects.
2. Ability to execute these methods directly or through delegated administration functionality.
3. Ability to verify correct operation through process transparency and consistent audits.
4. Ability to easily manage objects individually or in large sets.

In order to benefit from lifecycle management principles, objects need to have characteristics such as these:

1. a beginning
2. an end
3. dynamic configuration over time
4. need of approvals for creation, changes and termination
5. operative dates/times for each step in the lifecycle
6. object versioning

Given these two lists, what types of objects in an Identity and Access Management system beg for Lifecycle Management?  At least these:

1. Users
2. Roles
3. Entitlements
4. Policies (for provisioning, access control, authorization and audits)
5. Managed Systems (applications, systems, devices, etc.)
6. Workflows/Processes
7. Forms
8. Configurations

Wouldn’t it be great if there was a single coordinated, cohesive user interface for providing lifecycle management of all these objects? Certainly, there are significant differences between object types, but the processes of keeping them all under control over time have more similarities than differences.

We still think too much in silos, rather than in integrated architectures.  If we are to ever reach the worthy objectives of ease of use, rapid implementation and effective administration, we must successfully conquer this lifecycle management problem.

When I hear a message that begins, “We’re from the government, and we’re here to help,” I am naturally suspicious.  My political philosophy, based on personal freedom, individual responsibility and natural consequences, is all too often infringed upon by over-reaching, even if well-intentioned, government mandates.  So, when I first learned of the “National Strategy For Trusted Identities In Cyberspace,” I quite naturally envisioned the typical government movement towards stronger control, greater regulation and reduced freedom.

These goals will require the active collaboration of all levels of government and the private sector  The private sector will be the primary developer, implementer, owner, and operator of the Identity Ecosystem, which will succeed only if it serves as a platform for innovation in the market. The Federal Government will enable the private sector and will lead by example through the early adoption and provision of Identity Ecosystem services. It will partner with the private sector to develop the Identity Ecosystem, and it will ensure that baseline levels of security, privacy, and interoperability are built into the Identity Ecosystem Framework.

That said, I include here some key points from the document.  A user-centric “Identity Ecosystem” is proposed – an online environment where individuals and organizations will be able to trust each other because they follow agreed upon standards to obtain and authenticate their digital identities—and the digital identities of devices. 

Congratulations to my good friend Alan Norquist, whose company Veriphyr was named a “Cool Vendor in Identity and Access Management” by in a recent Gartner report.  Veriphyr offers an on-demand SaaS service that “analyzes identities, privileges, and user activity to detect violation of access control down to the record level to deter snooping into sensitive data.” 

I received Alan’s email informing me of this recognition earlier today – ironically just two days after I posted an article about the business benefits of Identity and Access Intelligence.  Here is Veriphyr’s definition of Identity and Access Intelligence:

Identity and access intelligence (IAI) is a new category of SaaS application that uses advanced data analytics to mine identity, rights, and activity data for intelligence that is useful not only for IT operations, but also for broader business operations. What is new about IAI is its focus on the needs of the business manager, who typically has the best knowledge of what resources their direct reports should or should not be accessing, when they should be accessing it, and how much resource utilization is appropriate. IAI informs the identity and access management process (IAM) in a way that provides rapid value to business managers and generates the buy-in from business stakeholders that is needed for a successful project implementation.

I predict that this segment of the Identity and Access Management market will grow rapidly, as enterprises seek to gain actionable intelligence from their growing mountains of available Identity and Access data.

It was almost two months ago when I first mentioned on this blog the term coined by Gartner, “Identity and Access Intelligence.”  I have been thinking much lately about the real business value enterprises can derive from this discipline, and will attempt in this post to enumerate and comment on such benefits.

As good fortune would have it, my Oracle Colleague Nishant Kaushik shared with me a copy of a presentation deck he used recently, entitled, “Identity Intelligence to Drive Business Objectives.”

For the purpose of this discussion, we will use the term “IAM Intelligence” to refer to “Identity and Access Intelligence” or “Identity Intelligence”. Furthermore, we will regard IAM intelligence to include tools for IAM data collection, aggregation, analysis, presentation and automated action, coupled with the human processes for seeking to understand, present and act on that data – the transformation of data into actionable intelligence.

Earl Perkins of Gartner put it this way:

IAM intelligence is more than knowledge for IT users to make IT users’ lives easier. IAM intelligence can be part of the business intelligence realm if properly analyzed and presented to the right audiences.

Primary Business Benefits

The following major business benefits can accrue from IAM intelligence.  These are roughly the same as Nishant used in his presentation, in a slightly different order.

1. Enable Visibility and Transparency.  If an enterprise is to effectively answer the compelling questions, “Who has access to what?”, “Who granted that access?” and “How were such assess rights used?”, a great degree of information visibility and transparency is needed.   The questions are simple; the process of answering them is not.  IAM intelligence seeks to answer these questions quickly and accurately, in a manner that reduces business risk and increases regulatory compliance at a resonable cost.
2. Support Business Decisions.  Good business decisions should be based on reliable information, not on supposition.  A client recently remarked,”We need to base our decisions on facts, not just on what we think those facts are or should be.”  IAM intelligence provides the foundation for making good business decisions based on reliable information.
3. Turn Data into Insight, and Insight into Action.  With the expansion of IAM infrastructure for administering user, role and entitlement life cycles and enforcing access policy, the amount of relevant Identity and Access data is immense.  That raw data does little good unless we can effectively organize and analyze such data so effective business decisions can be made and intelligent action can be taken as a result.  IAM intelligence enables the transformation of raw data into actionable insight.
4. Strengthen Identity & Access Governance. The structured method for managing IAM systems, or IAM Governance, can be made more effective if accurate, reliable, timely and actionable information is available for IAM stakeholders to make good decisions.
5. Identify, Measure and Manage Risk.  To effectively manage risk, an enterprise must accurately identify what risks exist, create policies for dealing with such risks, and implement effective controls for enforcing those policies.  Actionable information provided by IAM Intelligence can enable enterprises to correctly identify, understand and control risk.
6. Contain Costs. Gathering and evaluating data through manual means can be very expensive, including initial data collection, manipulation, analysis and presentation.  Automated Identity Intelligence methods can minimize costs by taking labor out of the process.
7. Build Trust. In order for any information system to become an effective foundation for business execution, business leaders must implicity trust the tools and processes that comprise the the system.  An effective IAM Intelligence system will provide that trusted foundation that a business leader can use to guide his or her business activities.

Benefits from Automation

Why can’t we just use some smart people armed with spreadsheets to accomplish the same objectives?

1. Accuracy. Manual methods of data collection and organization inevitably introduce errors, which at best are difficult to find and correct, and at worst, alter business decisions in unfortunate ways.
2. Timeliness.  Manual methods often take a lot of elapsed time, causing business decisions to be delayed and needed actions to be postponed.
3. Presentation.  While much can be done with spreadsheet graphics and reports, more powerful reporting, dashboard and presentation facilities may be available with an automated system.
4. Repeatability.  Manual methods may vary as different people become involved at different parts of the process, causing variabiltiy in results from cycle to cycle.
5. Auditability.  Manual methods are more difficult to audit, because of the variability in the human part of the process.
6. Cost control.  The costs of manual methods often exceed automated processes, because the labor content of the process recurrs in every cycle. Automated methods can reduce these costs

The Bottom Line?

The overall benefit we realize from IAM Intelligence is the ability to take effective business action, based on intelligent business decisions … leading to faster, stronger business success.

Thanks to my colleague Kevin Moulton for pointing out an excellent Yahoo! special report: In cyberspy vs. cyberspy, China has the edge.

According to U. S. investigators, China has stolen terabytes of sensitive data — from usernames and passwords for State Department computers to designs for multi-billion dollar weapons systems. And Chinese hackers show no signs of letting up. “The attacks coming out of China are not only continuing, they are accelerating,” says Alan Paller, director of research at information-security training group SANS Institute in Washington, DC.

Private enterprise is also getting hit big time.

The official figures don’t account for intrusions into commercial computer networks, which are part of an expanding cyber-espionage campaign attributed to China, according to current and former U. S. national security officials and computer-security experts. 

In the last two years, dozens of U. S. companies in the technology, oil and gas and financial sectors have disclosed that their computer systems have been infiltrated. 

In January 2010, Internet search giant Google announced it was the target of a sophisticated cyber-attack using malicious code dubbed “Aurora,” which compromised the Gmail accounts of human rights activists and succeeded in accessing Google source code repositories.

The political ramifications of this cyber warfare are huge. The US and China are the world’s two largest economies, both cooperating and competing on the world’s stage.  With China owning more than $1.1 trillion in U. S. government debt, destabilization of U. S. markets due Chinese cyberattacks would, in effect, be an attack on China’s economy itself.

The old Mad Magazine Spy vs. Spy comics were hilarious, with each spy destroying the other through nefarious means, and then getting up quickly to compete another day.   On the other hand, the China vs. USA cyberspy game is serious business – we play this one for keeps. 

I am anxious for the time when I can buy groceries or pay for a meal with my iPhone.  According to Juniper Research, that time may be be closer than you would think.

As reported by GigaOM, Juniper Research predicts that 1 in 5 Smartphones Will Have NFC by 2014.  NFC, or “Near Field Communication,” is a technology that allows a payment to be made by holding a device, such as a mobile phone, in close proximity to a NFC-capable point of sale terminal.

I think it would be great to use a mobile wallet on my iPhone, working in concert with an NFC chip embedded within my iPhone, to make a payment.

The GigaOM article states:

Juniper said the increasing momentum behind NFC, with a stream of vendor and carriers announcements in recent months, is helping boost the prospects of NFC. North America will lead the way, according to Juniper, with half of all NFC smartphones by 2014. France, in particular, is off to a quick start, with 1 million NFC devices expected this year.

Of course, there is more than just putting moble wallet apps and NFC chips on smartphones.

But the NFC ramp-up will still faces challenges. With so many players involved, from merchants, operators, manufacturers and web giants like Google, service complexity will be an issue. The industry also needs to work out business models around NFC while ensuring strong security for consumers unfamiliar with the concept of a mobile wallet, said Howard Wilcox, the author of the report.

Which smart phone vendor will be first to the races with a mainstream NFC-equipped device? Will the next iPhone be NFC-equipped?  I hope so, but I had also hoped for that in the iPhone 4.  Time will tell.  I’m just hoping for sooner, rather than later.

And, by the way, Identity Management and Information Security are crucial to an overall solution. Knowing who the user is and that user wants to do, and making sure their information is absolutely safe, are critical components of the mobile payments infrastructure that must be built. In that vein, its great to be in the industry that is making this all happen.

I was pleased to receive the following notice from Oracle product management in my email box this week:

Hi All,

As you might know, the transition of Corporate Single Sign-On (Intranet and Extranet) to Oracle Access Manager-11g is complete and the first production deployment of OAM 11g with a multi-million user population is now live. Starting Fri, Apr 1st, 2011, OAM-11g is now taking 100% of authentication load from extranet web properties of Oracle without any incident. All customers that access any Oracle service over the extranet like www.oracle.com, OTN, MOS, ARU etc. are now authenticated with Oracle Access Manager 11g.

It makes me feel good to know that we actually use our own products – even the latest version!

The key statistics for the Extranet deployment are actually quite impressive:

• Total user population: 12 M
• Avg daily authentication load so far: 350K users
• Expected peak daily authentication load: 800K users (around special events like Open World)
• Avg authentication latency: 120 milliseconds
• Avg CPU usage: under 5%

Other Highlights:

• This is the first production deployment of OAM-11 with a multi-million user population.
• Like the intranet roll-out, this transition to OAM-11 was done with zero downtime. 
• The gradual/phased ramp-up to 100% load allowed PDIT and dev team to triage problems and fix them before they impacted wider populations.

By the way, I’m not disclosing any secrets.  We were told we could spread this information around!  So have a piece of “virtual” chocolate cake with Fido and me.