Dave Kearns indentified three separate focus areas for Identity and Cloud Computing in his Network World post today:

Identity-in-the-cloud, or Identity as a Service:

IdM services such as provisioning, governance, role management, compliance, etc. are hosted "in the cloud."

Identity-for-the-cloud:

Provisioning services for cloud apps provided by traditional, on-premise, provisioning vendors as well as other identity services (privileged user management, compliance, etc.) extended to the cloud from your data center.

Meshed, or integrated, on-premise/in-the-cloud:

Linking on-premises Identity Management infrastructure and cloud identity data from cloud-hosted applications.

More than anything, this points out that Identity Management and Cloud Computing is a multi-faceted issue.  “Cloud” may refer to where the Identity Management services are hosted, as well as where the applications reside that consume Identity Management services – or a combination of both.

Certainly worth further exploration.

I dedicate a column in my laptop TweetDeck application to the search term “Identity Management.”  It is enjoyable to scroll through now and then to see what folks have to say about this important topic.   Tonight, I was intrigued by a tweet from @susanguarneri “Online Identity Management: Get Found! http://bit.ly/djdFRm”.

It was interesting to find that Susan Guarneri, AKA the Career Assessment Goddess, defines Identity Management this way:

“Online identity management is career management for the employed and unemployed. Online identity management is also business management, particularly if your small business centers on you. Rather than waiting and hoping that your career or business future plays out successfully, why not take back control? Find out how you can get found online, differentiate yourself, and stand out positively from your competition.”

That is quite a bit different than what Wikipedia’s definition:

“Identity management or ID management is a broad administrative area that deals with identifying individuals in a system (such as a country, a network or an organization) and controlling the access to the resources in that system by placing restrictions on the established identities.”

It all goes to show how different perspectives may yield different definitions.  To Susan, Identity Management is all about taking control of one’s personal Identity in cyberspace.  To the unknown Wikipedia author (by the way, that article is begging for a re-write), Identity Management is all about some organization controlling the Identities of others.

Both are valid viewpoints.  It just pays to understand the perspective of each user of a phrase before passing judgment.

In response to my colleague, Jack Crail, who circulated the link to the video in my previous post, another colleague, Brad Diggs, responded:

Hey Jack,

No this isn’t an urban legend.  I have been working up a blog post that gives folks a strategy for how to deal with it.  I am the deacon of IT at my church and we have had to deal with it head on.  For everyone’s benefit, your best friend in this is Darik’s Boot and Nuke.  Of course the best thing is to make sure that the drive is not accessible by anyone that shouldn’t be accessing it.  You also need to make sure that you pull the drive when ever you have it serviced, sell it or dispose of it.

Lastly, note that this risk applies to both photocopiers AND printers with internal print queues.

Have a great day!

Brad

Brad followed up that note with an excellent post on his blog recommending a step by step process to deal with the problem.

Thanks, Brad!

The thought never crossed my mind until my colleague Jack Crail sent me a link to this short CBS News video that outlines little-known security risks lurking in the background – hard drives in digital copier containing thousands of pages of sensitive information.

A companion print article highlighted a short study of four copiers detailed in the video:

The results were stunning: from the sex crimes unit there were detailed domestic violence complaints and a list of wanted sex offenders.

On a second machine from the Buffalo Police Narcotics Unit we found a list of targets in a major drug raid.

The third machine, from a New York construction company, spit out design plans for a building near Ground Zero in Manhattan; 95 pages of pay stubs with names, addresses and social security numbers; and $40,000 in copied checks.

But it wasn’t until hitting "print" on the fourth machine – from Affinity Health Plan, a New York insurance company, that we obtained the most disturbing documents: 300 pages of individual medical records. They included everything from drug prescriptions, to blood test results, to a cancer diagnosis. A potentially serious breach of federal privacy law.

Who knows how much of your personal information is floating out in never-never land on copier hard drives you may not have even known about?

My blogging efforts have been on an extended hiatus recenlty as I have focused on becoming familiar with the new Oracle landscape.  Perhaps there is no better way to return to the blogosphere than to announce the winner of the Sun VBOF Stork naming contest.

A bit of explanation is in order …

In December and January, I hosted a short-lived series of “Virtual Birds of a Feather” (VBOF) sessions, held via teleconference and Webex.  These sessions, which were open to Sun employees and SI partners, covered such interesting topics as:

• Identity Roles and Personae
• Current Trends and Issues around Entitlements Certification
• Identity and Access Management in Cloud Computing

We had people from literally around the world participating in these live sessions, and collectively learned much through cooperative discussion of Identity Management topics.

As I was searching for an appropriate artwork to use for VBOF presentations, I stumbled across a photo of a gallant old stork in the Sun artwork collection.  We adopted the old bird as the VBOF mascot and launched a little election to determine what to name him.

The winning name was nominated by Dr. Rene Klomp, Senior Solution Architect  from the Netherlands, who suggested that Apollo is:

“God of the Sun, who had an Oracle in Delphi. Also ‘Apollo’ can be read ‘a pollo’ which means ‘a chicken’ which is of course a virtual stork! Oh well, they’re both birds so what the heck.  Last but not least, Apollo took us to the moon, which gives us light after the Sun has set.”

Today, I finally received a photo of Rene wearing the one and only Apollo/VBOF shirt, which he received as winner of our little contest.

Congratulations to Rene for both nominating the winning name and wearing the shirt so stylishly!

I don’t know yet whether we’ll revive the VBOF concept within Oracle, but if we do, I’m sure Apollo the VBOF Stork will be waiting in the wings.

To support recent discussions about Identity Management and Cloud computing, I divided the types of Identity Services that might be needed to support Application services into three major categories as shown in the following diagram and explained in a bit more detail below:

The specific services provided in each category could include:

Identity Administration Services

• Create, update, delete identities
• Password/credential management
• Entitlement definition/management
• Provision/de-provision access privileges
• Role engineering/management
• Policy definition/management

Identity Enforcement Services

• Authentication
• Authorization
• Access control
• Federation
• Web services security

Identity Audit Services

• Reporting
• Evaluation
• Attestation
• Validation
• Remediation

Did I miss any services that you think should be present?  Any input on the categories or types of services?  Any input or criticism would be most welcome.

The following chart may be helpful as we consider the different types of users that should be addressed by Identity and Access Management (IAM) technology and processes in cloud computing.

At the Platform as a Service (PaaS) and Infrastructure as a Service (IaaS) layers, the only users are administrators of the platform or infrastructure services, respectively.  However, these administrative users may be either on the provider side or on the recipient or enterprise side.  End users, whether within the enterprise (employees or contractors) or external to the enterprise (customers and partners), only exist at the application layer or Software as as Service (SaaS) layer.

This illustrates how cloud computing introduces increased complexity into IAM. Not only do the different layers (PaaS, IaaS and SaaS) have unique requirements, but multiple organizations (e.g. provider and enterprise) need to be considered.

For example, the nature of PaaS services will require provider administrators to have root access to the operating system, while enterprise administrators at the SaaS level may only need access to application configuration functions and external SaaS users only need to access to selected application functions.

Hopefully, this provides food for thought as we explore IAM in cloud computing.  I’d be grateful to hear your comments.

Last Thursday, January 21st, I gave a presentation at the Sun Horizons conference, “Healthcare Integration Through a New Perspective.”  The title of my talk was “Identity Management: Securing Information in the HIPAA Environment.”  I explored how the complementary functionality of Identity Management and Master Patient Index technologies can enable effective Patient Consent Management, a vital requirement for online health information networks.

A copy of my presentation deck is available for download here.

At the heart of my the presentation was the following diagram, which illustrates major components required in a Patient Consent Management system:

A brief explanation of key components follows:

Identity and Role Repository

IAM technology and methods provide the foundation for an effective patient consent management system.  An Identity and Role Repository contains Identities, roles and access control credentials necessary to support the consent system.  This repository includes:

• Patients
• Providers
• Access Rights
• Roles (map business responsibilities to access rights)
• Override Rights (Only users with specific roles can perform override without consent)

Consent Registry

A consent registry is required to specify what permissions have been granted by patients, within the allowable limits specified by each applicable jurisdiction.   Some of the key attributes include:

• Consent Permissions for
• Patients
• Organizations
• Users
• System-wide mask (everyone)
• Fine gained access
• Include or exclude attributes
• Accommodation for multiple jurisdictions

Master Patient Index

A Master Patient Index enables correlation of patient data across multiple repositories.  This is essential because patient records are typically help in multiple locations.  In other cases, if patient records exist in the same physical data warehouse, they are often logically separated. 

Federated Data Access

If patient data is located in physically or logically separate locations, Federated data access controlled allows access across domain boundaries without compromising the privacy or integrity of individual patient record repositories.

Data Access Services

By providing a set of centralized data access services governed by IAM, the Consent Registry and the Master Patient Index, a secure method of patient data access is possible.

Semantics: “The study of meaning”

This morning I read a thought-provoking article by my associate Mark Montgomery entitled “Systemic failures, by design.” The article proposes that in many high-profile cases, catastrophes could have been averted or moderated if appropriate semantic-based analysis and action had been taken, based on data that existed prior to the event:

Over the course of the past dozen years the U.S. has experienced a series of dangerous and costly systemic failures throughout our security and regulatory framework. The unfettered bubble in technology, missed opportunities to prevent 9/11—leading to two ongoing wars, the tragic response to Katrina, the largest financial crisis in history, the Fort Hood massacre, and the ‘underwear bomber’ incident on Christmas Day all share one commonality.

In each of these cases, data had been collected by U.S. government agencies that contained a high probability of either entirely preventing or substantially mitigating each event, if only the information had been recognized and acted upon within the window of time allowed by circumstances. In case after case, repeated warnings by recognized experts, sourced internally and externally, were ignored or suppressed.

In the past few months, I blogged a couple of times about the use of data analytics with Digital Identity:

• Identity Trend 9: Identity Analytics

• Anonymized” Data Really Isn’t

In his address at Digital ID World, Jeff Jonas’ discussion about using data analytics to discover space-time-travel characteristics of individuals was both challenging and disturbing. He proposed that advanced analytic techniques could be effectively used to pinpoint the identities of people of interest based on patterns of use of mobile phones and other data sources readily available today.

While there is certainly danger of loss of freedom to ordinary citizens due to government surveillance, it is apparent that a much better job of identifying and acting upon potential threats and the identities of people involved is quite possible if existing data, lawfully acquired, is more effectively analyzed in meaningful (aka semantic) ways.

Next Thursday, January 21st, I will be giving a presentation at the Sun Horizons conference, “Healthcare Integration Through a New Perspective.”  My topic will be “Identity Management: Securing Information in the HIPAA Environment,”  I will explore how the complementary functionality of Identity Management and Master Patient Index technologies can enable effective management of Patient Consent Management, a vital requirement for online health information networks.

If you would like to discuss the topic or meet me in Washington, DC, please drop me a line.  After the event, I’ll post my presentation deck for review.