Tomorrow, Tuesday, April 11th, at 11am PST, Oracle is presenting a live webcast, Automating User Provisioning – A User’s Perspective, featuring Jim Moran,  CISO of Educational Testing Service (ETS) where he discusses ETS’s implementation of Oracle Identity Manager and their cloud deployment plans.

I always enjoy hearing people talk about their experiences in implementing software.  We can learn much from real experiences.

My last post highlighted the well-publicized Epsilon data breach that affected so many consumers like me.

But what if a company forgets to tell its customers?

That may have happened to me. Our family probably does over 80% of our grocery shopping at Fry’s Food Stores, owned by The Kroger Co. I’m quite sure they have my email address, because of their store affiliate card program. However, when Kroger was victimized by the Epsilon data breach, I did not get a notification or apology from Kroger.

Does that mean they don’t care, or by some stroke of luck, my email address wasn’t compromised? I may never know … but will wonder.

On April 4th, I received apology letters from my bank, a major retailer, a large pharmaceutical chain, and three hotel companies.  All of the apologies were similar, but I’ll share just one:

Dear Ritz-Carlton Customer,

We were recently notified by Epsilon, a marketing vendor The Ritz-Carlton Hotel Company uses to manage customer emails, that an unauthorized third party gained access to a number of their accounts including The Ritz-Carlton email list. We want to assure you that the only information obtained was your name and email address. Your account and any other personally identifiable information are not at risk.

Please visit our FAQ to learn more.

In all likelihood, this will not impact you. However, we recommend that you continue to be on the alert for spam emails requesting personal or sensitive information. Please understand and be assured that The Ritz-Carlton does not send emails requesting customers to verify personal information.

It must have really hurt Ritz Carlton, that paragon of sophistication and propriety, to fall on its virtual knees and send out thousands for such emails.

I subsequently learned that USA Today reported:

With the possible theft of millions of e-mail addresses from an advertising company, several large companies have started warning customers to expect fraudulent e-mails that try to coax account login information from them.

Perhaps the Wall Street Journal wanted to make me feel special, one of select few:

Alliance Data (parent of Epsilon) reiterated that social-security and credit-card numbers were not stolen. It also said that only 2% of its more than 2,500 customers were affected.

I have yet to know whether there will be a harmful personal affect from this data breach. But it does illustrate that we are all vulnerable, whenever we trust any confidential information to someone else.

Technorati Tags: Identity Theft, Information Security, Privacy

I have been concerned for some time that Information Technology systems in general and Identity Management systems in general have become so complex that it takes rocket scientists to understand them, implement them, and take care of them.  Because of the relative scarcity of rocket scientists, many companies become overwhelmed by the complexity of the their IAM systems and either don’t implement them correctly or reap the benefit that could be realized.

Today I stumbled across an intriguing article, Simplicity: A New Model, by Jurgen Appelo, that explored the issues of simplicity and complexity. I liked the definition of simplicity Jurgen used:

Simplicity usually relates to the burden which a thing puts on someone trying to explain or understand it. Something which is easy to understand or explain is simple, in contrast to something complicated. (Wikipedia)

But he went further, explaining simplicity and complexity with the aid of a visual model:

I encourage you to read Jurgen’s article to understand the significance of each visual image.

This made me this made think, “Is there a way to map IAM systems onto a model like this?”

I don’t know the answer, but it is an issue worth exploring.  I’ll let you know if I come up with some brilliant ideas.

Space Shuttle Discovery landed at Kennedy Space Center in Florida earlier today, completing its 39th and final mission, completing a “career” of 27 years and 148 million miles flown.

Quoted in a Deseret News article, Former Utah Sen. Jake Garn, R-Utah, who flew as a payload specialist aboard Discovery in April of 1985, said he is extremely saddened at the "retirement" of Discovery:

… it is a "huge, huge mistake" for the U.S. government to turn its back on the 30-year-old space shuttle program that is being shuttered because of operational costs.

"NASA constitutes less than one half of 1 percent of the federal budget," Garn said, adding that the Congressional will to de-fund the program is a decision "I don’t even comprehend."

Amid the sadness, however, he remembered the joy of his Discovery flight:

"There were 16 sunrises and 16 sunsets every day, with 45 minutes of daylight and 45 minutes of darkness. … It is impossible to describe what it is like."

"The magnificent beauty of our planet … it makes you realize how insignificant we are here on Earth and you wonder why we don’t treat each other better."

I never rode the shuttle like Garn (although I would have loved to do so), but I have been fascinated by the space program since I was a little boy.  Part of my heart is dying as the shuttle program takes its final breaths.  There is something ennobling in man when he looks upward to the stars and takes significant steps to reach them. We lose that when we look downward and judge the space program solely on terrestrial pragmatism

Triggered by Dave Kearn’s article today, “What is Privacy, Really,” I spent a few minutes this afternoon with my good friend dictionary.com.  It is amazing what one can learn about word meanings by (virtually) flipping through the pages of a dictionary.

Privacy: the state of being free from intrusion or disturbance in one’s private life or affairs: the right to privacy.

This was a bit circular in its reasoning, so I looked up “private”:

Private: confined to or intended only for the persons immediately concerned; confidential: a private meeting.

These meanings match well Dave’s desire to exercise control over when he divulges personal information:

I can see no reason to cough up details of my business, number of employees, target date for purchase, types of computers, operating systems, applications, etc., simply to read a high-class marketing document

A related term is confidential – again related to the ability to keep information private:

Confidential: spoken, written, acted on, etc., in strict privacy or secrecy; secret: a confidential remark.

For example, I can assure you that there are details of my personal life that nobody but my wife knows.  We intend to keep it that way, even if powers like Facebook and Google would have it otherwise.

Way back in September 2009 (it seems like an eternity in Identity years), I made a prediction that data analytics would begin to play a larger role in the Identity and Access Management market:

Advanced data analytics will bring value to many identity-based activities such as Authentication (historical “fingerprints” based on your patterns of accessing online resources), Context/Purpose (predicting preferences from your historical activity) and Auditing (who really did what when?).

Following my blog post this morning, Alan Norquist, CEO and founder of Veriphyr, dropped me an email which at least partially confirmed that prediction.  Alan referred me to an article by Earl Perkins of Gartner entitled, Time for Intelligence and Clarity in IAM.

A few excerpts:

Something interesting is developing in the identity and access management arena. It isn’t new– if you look closely, you’ll recognize it from countless other technologies and processes that progress to maturity. IAM is no different. What I’m seeing is the maturing of intelligence. …

One could even say that once that knowledge gets into the hands of the right people and they make actionable decisions with it, it’s no longer knowledge– it’s intelligence. …

IAM should be (among other things) about clarity. How do we make clear to the business that there is intelligence on those [IAM] logs, waiting to be mined, and that intelligence may make all the difference in their decisions? The best way is to deliver it, to provide that IAM intelligence is more knowledge for IT users to make IT users’ lives easier. IAM intelligence can be part of the business intelligence realm if properly analyzed and presented to the right audiences.

Gartner calls this “Identity and Access Intelligence.”  I am trying to get a copy of the full Gartner report on this topic.  I’ll comment more when I do.

The natural first question to ask when discussing Identity auditing is,

Who has access to what?

This question is naturally followed by,

Who granted those access rights, when?

More of my customers are asking a third question,

Who used those access rights, how?

The first two questions address the assignment of access rights to individuals; the third question addresses actual use of access rights after assignment.

Oracle has excellent tools to address the first two questions, but we currently lack a good solution for the third.

Why is this third category important?  Some things my customers ask for are:

1. Which users did not use an access right during the past quarter?  They may not need that right at all.
2. What patterns of access can we find?  This may help discover roles for provisioning and attestation.
3. What access attempts are anomalies?  This may help identify and remediate fraudulent use.
4. Where are potential vulnerabilities in my identity administration and access control methods?

So, where can we find solutions?

I have been impressed with a small startup, Veriphyr, that provides:

“an on-demand, pay-per-use analytics service that discovers user access vulnerabilities and privilege abuse on mainframe, midrange, Linux/Unix, and Windows servers. … Veriphyr analyzes identities, activity, and privileges to expose access weaknesses that enable insiders and intruders to capture, leak, or alter data through breach of systems, applications, databases, and networks.”

There is a broad category of Security Information and Event Management (SIEM) systems that address this area. In the Gartner Magic Quadrant report for SIEM systems that I downloaded from Q1Labs website, Gartner defines this market segment as:

Security information and event management (SIEM) technology provides two major functions for security events from networks, systems and applications:

• Security information management (SIM) – log management and compliance reporting
• Security event management (SEM) – real-time monitoring and incident management

SIEM deployments are often funded to address regulatory compliance reporting requirements, but organizations should also use SIEM technology to improve threat management and incident response capabilities.

Three companies in the leader quadrant of the Garter report are ArcSight, RSA and Q1Labs, but a total of 20 companies were covered in the report.  I am by no means a SIEM expert.  I have no idea whether Oracle will get in the SIEM game (and I couldn’t tell you if I did know), but I believe this is an important area for our customers.  It will be interesting to see what transpires.

Stephen Wilson of The Lockstep Group in Sydney, Australia, is scheduled to present an interesting paper, Why Federated Identity is easier said than done, at the AusCERT2011 conference in May.  Based on the abstract, the complete paper should be really interesting.

Stephen states that despite,

“near universal acceptance of the idea of Federated Identity … higher risk services like banking, e-health and e-government have steadfastly resisted federation, maintaining their own identifiers and sovereign registration processes.”

He further asserts that lingering resistance to full adoption results from the fact that,

“Federated Identity is in fact a radical and deeply problematic departure from the way we do business.  … Thus the derided identity “silos” are a natural and inevitable consequence of how business rules are matched to particular contexts.”

Stephen’s final comment:

“If we focused on conserving context and replicating existing real world identities in non-replayable forms, most routine transactions could take place safely online, without the incalculable cost of re-engineering proven business arrangements.”

If Identity Federation really doesn’t match the way we do business, it will be interesting to see how Stephen expands on and clarifies that final statement in the full paper.

Oracle: “In Classical Antiquity, an oracle was a person or agency considered to be a source of wise counsel or prophetic opinion, predictions or precognition of the future, inspired by the gods.”

Thanks to Nishant Kaushik for pointing out Anil John’s thought-provoking article, Identity Oracles and their role in the Identity Eco-System.” In his introductory tweet, Nishant suggested, “Some thing for @trulyverified to think about.”

Since I recently signed up for the Tru.ly service, I thought Nishant’s advice was timely.

It was interesting to review the four characteristics of an Identity Oracle outlined by Bob Blakley, currently the Gartner Research VP for Identity and Privacy

• An organization which derives all of its profit from collection & use of your private information…
• And therefore treats your information as an asset…
• And therefore protects your information by answering questions (i.e. providing meta-identity information) based on your information without disclosing your information…
• Thus keeping both the Relying Party and you happy, while making money.

Some emerging companies fit part of this definition.  Certainly Tru.ly relies on information I provide and they verify, as an asset, and have based their business plan on such assets.

However, others come at it from different direction:  Axciom and LexisNexis offer Identity Verification and Authentication services based on publicly-available information.  Neither company has asked me whether they can use my information, but Axciom claims, “Acxiom’s identification platform utilizes demographic and geographic data in challenge questions with nearly 900 data elements for more than 300 million individuals.” LexisNexis claims, “Access to vast data resources – more than 20 billion public and proprietary records.”

Axciom and LexisNexis customers pay for the privilege of tapping into those vast stores of personal information to provide authentication and validation services.

Does this make Axciom and LexisNexis Identity Oracles?  What about Tru.ly or Trufina, or similar companies? Do the the three major credit bureaus qualify?  Perhaps none are complete Identity Oracles in the true sense of Bob Blakley’s definition.  But they are getting close.