I missed the final sessions of Digital ID World on Wednesday because of commitments in California.  Judging from the Twitter traffic, it sounded like some great stuff was discussed.

As a follow-up to my posts for Day 1 and Day 2, here my top ten final thoughts about the conference (without the benefit of Day 3):

1. Most Stimulating Information. Jeff Jonas’ discussion about using data analytics to discover space-time-travel characteristics of individuals was both challenging and disturbing.
2. Newest Identity Concept. Phil Windley’s proposal to enable contextualized, purpose-based user experiences using the web browser as a point of integration triggers lots of new thoughts about extracting value from the Internet.
3. Most Reinforced Notion. The Identity Management market is maturing.  Companies are seeking to learn best practices for getting the most out of their investments.
4. Biggest Question in my Mind. How much validity should we place in Symplified’s claim that “Federation is Dead.  Long Live the Federation Fabric?”
5. Most Enjoyable Networking Moments.  Meeting folks in person I have only met virtually beforehand.  In person wins every time.
6. Most-asked Question.  Nearly everyone whom I spoke with asked me something about the Oracle acquisition of Sun.  That happened to be the easiest question for me to answer: “Until the deal closes, we are independent companies.  We must wait until then for details.”
7. Best Trade Show Giveaway. An LED flashlight from Novell.  Incandescent bulb flashlights seem to be quickly joining buggy whips in the dustbins of history (except for special cases).
8. Biggest Pet Peeve.  No power strips or WIFI were provided for attendees.  This severely limited note taking and real-time blogging.
9. Most Entertaining Event.  No, not the parties.  It was the Chinese guy who drove my taxi to the airport.  He chattered non-stop for the whole trip about technology, Maryland, California, Utah, Idaho, Micron, Sun Microsystems, Oracle, potato chips, microchips, stock trading, traffic and dishonest taxi drivers.  What a hoot!
10. Biggest Disappointment. The show seems to get smaller each year – both in the number of attendees and participating vendors.  Will it survive?

That’s my list.  What do you think?

Today was really the first “official” day of the Digital ID World conference, but for me – Day 2.  So, here are some short highlights of the sessions I attended.

Cops and Robbers, Las Vegas Style – Jeff Jonas, Chief Scientist, IBM Entity Analytic Solutions

• Las Vegas is his “laboratory” for identity analytics – resorts typically have 100+ systems and 20,000+ sensors
• Context engines close the gap between the rapidly increasing amount of digital data and the less rapid growth of “sense-making” algorithms
• Mobile operators are accumulating 600 billion cellphone transaction records annually and are selling this data to third parties who use advanced analytics to identify space/time/travel characteristics of individual people

Context Automation – Phil Windley, CTO, Kyntetx

• Current focus in web marketing is focused on servers, using the metaphor of “location”
• Focus on “purpose” from the client’s perspective, using an intelligent, adaptable browser, will bridge between server-based silos to give users a richer, more purposeful experience

The Implications of Privacy on IDM – Larry Ponemon, Founder and Chairman, Ponemon Institute

• Many cultural differences are evident between nations and areas of the world with regard to privacy, security and identity management expectations.
• Companies doing business internationally will need to be sensitive to cultural and legal issues in the nations where they do business.
• People are growing tired of fact-based identity
• Perceptions of privacy are inextricably linked to identity and authentication

Business Process and Legal Issues in Cross-Org Secure Collaboration – Peter McLaughlin, Foley & Lardner

• Regulatory language should be treated as a floor, rather than a ceiling
• Normal industry practices may represent minimum requirements but may not guarantee compliance
• Make sure your business partners abide by same laws your company is subject to
• Reputational risk will always stay with your company, but you may seek to share financial risk with partners

Identity Governance Frameworks – Marc Lindsey, Levine, Blazak, Block & Bootby

• Legal agreements seek to apportion liability – who is responsible for what?
• Comprehensive frameworks for governing such agreements are emerging
• Modern federation agreements need to be better than the old EDI agreements

Dealing with International Privacy Laws – Discussion led by Larry Ponemon, Founder and Chairman, Ponemon Institute

• Complex international privacy laws affecting data transport hamper organizations’ ability to do their legitimate work.
• Will it be easier or harder to deal with international differences in privacy laws in five years?  (majority of audience said no)

Federation is Dead: Long Live the Federation Fabric – Symplified

• Federation must move to utility model to overcome issues of costs and complexity associated with one-to-one integration.

Building Good Practices into Your Processes – Edward Higgins, Vice President of Security Services, Digital Discovery Corporation

• Education of employees on good security practices is critical part of getting value from your IDM investment

On Monday and Tuesday this week, I attended the Digital ID World (DIDW) conference held at the Rio Hotel in Las Vegas.  It has been enjoyable to take the pulse of the industry from yet another vantage point and connect with fellow Identity Management practitioners from diverse locations.  Of course, the first question nearly everyone asked  me had something to do with Oracle, but, of course, I can’t talk about that.  So, here are very brief highlights of each session I attended the first day (Authentication and Virtual Directory “Summit Sessions”):

The State of Authentication and its Impact on IDM – Jim Reno, CTO, Arcot

• “Risk Based Authentication” is a fourth factor of authentication, augmenting traditional factors (what you have, know, and are)
• Authentication should consider context when assessing risk

Authentication Case Study – Naomi Shibata, former GM/COO, MLSListings

• Communications with users is essential prior to authentication system rollout

The Future of Authentication – panel including Jim Reno and Naomi Shibata, moderated by Bill Brenner, Sr. Editor of CSO Magazine

• Business, legal, regulatory and liability issues are more onerous than technical issues when considering an authentication system
• Authentication technology advances usually occur in response to advances in threats
• Enterprises should periodically re-verify appropriateness of installed authentication systems in light of advances in technology and threats
• Identity assurance is increasing in importance

Identity Service Virtualization and Context Management – Michel Prompt, CEO/Founder, Radiant Logic

• It is difficult to define Identity without understanding the context in which it is used
• Understanding relationships between identity objects enables a global model that links identities together to enable contextual views
• Such Identity linking can occur in a virtualization layer between diverse identity repositories and applications which consume those identities

Case Study: Identity Services and Virtualization – Bill Brenner, CSO Magazine and Mohammad Khattak, Booz Allen Hamilton

• Dynamic Access Control requires consolidate identity repository with many sources of identity information
• When aggregating data sources, we need to understand the trust level in each source repository

Impact of Oracle/Sun Acquisition – David Rusting, Unisys and Todd Clayton, CoreBlox

Note: I am restricted from commenting on product roadmaps or anything related to the Oracle acquisition of Sun.  The following comments are views expressed by the panelists.

• The primary discussion focused on how customers should plan for potential changes in either Sun or Oracle directory roadmaps
• A virtualization layer between director and applications may provide a layer of abstraction to shield customers from changes in vendor roadmaps and reduce tie to single vendor
• This may be a time to re-evaluate application needs and determine which direction to go with regards to directory technology

Stay tuned for Day 2!

It is an interesting exercise to Google the term “Privacy Principles” and review the different definitions of privacy and different lists of fundamental privacy principles established by various enterprises, organizations and government agencies.  While there are threads of commonality throughout these different lists, it is intriguing to see how different perspectives can emphasize different issues.

For example, at the Burton Group Catalyst Conference in July, Bob Blakley proposed the following list of privacy principles (further described in the white paper, “Privacy” by Ian Glazer and Bob Blakley, which is available by subscription):

1. Accountability
2. Transparency
3. Meaningful choice
4. Minimal collection and disclosure
5. Constrained use
6. Data quality and accuracy
7. Validated access
8. Security

In December, 2008, The U.S. Department of Health and Human Services issued guidance on how to conform with HIPAA privacy and security requirements. This guidance consists of the Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information, which also sets forth eight Privacy Principles:

1. Individual Access. Individuals should be provided with a simple and timely means to access and obtain their individually identifiable health information in a readable form and format.

2. Correction. Individuals should have a way to timely question the accuracy or integrity of their individually identifiable health information and to have erroneous information corrected or to have a dispute documented if their requests are denied.

3. Openness and Transparency. There should be openness and transparency about policies, procedures, and technologies that directly affect individuals and/or their individually identifiable health information.

4. Individual Choice. Individuals should be provided a reasonable opportunity and capability to make informed decisions about the collection, use, and disclosure of their individually identifiable health information.

5. Collection, Use, and Disclosure Limitation. Individually identifiable health information should be collected, used, and/or disclosed only to the extent necessary to accomplish specified purposes and never to discriminate inappropriately.

6. Data Quality and Integrity. Persons and entities should take reasonable steps to ensure that individually identifiable health information is complete, accurate, and up-to-date to the extent necessary for the person’s or entity’s intended purposes and has not been altered or destroyed in an unauthorized manner.

7. Safeguards. Individually identifiable health information should be protected with reasonable administrative, technical, and physical safeguards to ensure its confidentiality, integrity, and availability and to prevent unauthorized or inappropriate access, use, or disclosure.

8. Accountability. The Principles in the Framework should be implemented, and adherence assured, through appropriate monitoring and other means and methods should be in place to report and mitigate non-adherence and breaches.

You can see both similarities and differences in these lists. 

Ian and Bob observed in their report that privacy is highly dependent on the context in which it is applied:

Privacy is, fundamentally, contextual. Any question about privacy must be understood in the context of:

• The starting assumptions and principles of the parties
• The relationship between the parties
• The interaction between the parties among which private information is shared
• The domain (e.g., sector, nation, etc.) in which the parties are interacting
• The societal norms to which the parties adhere

Minor variations in any one of these contextual aspects of the situation can lead to major differences in the
privacy practices that should be applied.

So, while on the surface one might expect that a standard set of privacy principles would apply in all cases, each enterprise, market or agency must view privacy from their own slightly different perspective, based on the context within which privacy principles are applied.  Normalized lists of privacy principles may provide a valuable foundation, but it is critical for each enterprise or organization seeking to implement an effective privacy program to establish their own list, depending on their context.

I enjoy watching re-runs of the television drama, NCIS, where a dysfunctional little group of crime-fighting superstars often analyze divergent bits of data to solve seemingly unsolvable mysteries.  Last night, Agent McGee correlated data from phone records, automobile registrations and police station activity records to pinpoint a bad cop in collusion with an international drug lord.  Far fetched?  Perhaps not.

I have been spending much of my time recently preparing a white paper addressing the issues of HIPAA privacy and security compliance, particularly in light of expanded regulations emerging from the “stimulus bill” signed into law earlier this year.  As I have explored privacy issues related to electronic health records, I was particularly intrigued by an article by Nate Anderson entitled “’Anonymized’ Data Really Isn’t and here’s why not”, published in Ars Technica earlier this week.

On the surface, it would seem that removing obvious identifiers such as name, address and Social Security Number from a person’s data record would cause that record to be “anonymous” – not traceable to single individual.  This approach is commonly used by large data repositories and marketing firms to allow mass data analysis or demographic advertising targeting.

However, work by computer scientists over the past fifteen years show that it is quite straightforward to extract personal information by analyzing seemingly unrelated, “anonymized” data sets. This work has “shown a serious flaw in the basic idea behind ‘personal information’: almost all information can be ‘personal’ when combined with enough other relevant bits of data.” 

For example, researcher Latanya Sweeny showed in 2000 that “87 percent of all Americans could be uniquely identified using only three bits of information: ZIP code, birthdate, and sex."

Professor Paul Ohm of the Colorado School of Law, in his lengthy new paper on "the surprising failure of anonymization, wrote:

As increasing amounts of information on all of us are collected and disseminated online, scrubbing data just isn’t enough to keep our individual "databases of ruin" out of the hands of the police, political enemies, nosy neighbors, friends, and spies.

If that doesn’t sound scary, just think about your own secrets, large and small—those films you watched, those items you searched for, those pills you took, those forum posts you made. The power of re-identification brings them closer to public exposure every day. So, in a world where the PII concept is dying, how should we start thinking about data privacy and security?

Ohm went on to outline a nightmare scenario:

For almost every person on earth, there is at least one fact about them stored in a computer database that an adversary could use to blackmail, discriminate against, harass, or steal the identity of him or her. I mean more than mere embarrassment or inconvenience; I mean legally cognizable harm. Perhaps it is a fact about past conduct, health, or family shame. For almost every one of us, then, we can assume a hypothetical ‘database of ruin,’ the one containing this fact but until now splintered across dozens of databases on computers around the world, and thus disconnected from our identity. Re-identification has formed the database of ruin and given access to it to our worst enemies.

I won’t ask what your “blackmail-able facts” might be, and won’t tell you mine.  But it is sobering to think what abuses might emerge from the continued amassing of online data about all of us.  This certainly casts new light on the importance of privacy and security protections for all of our personal data.

While listening this morning to Glenn Brunette’s excellent webinar entitled, “Safety First: Protecting Your Services in the Cloud,” I was introduced to the Cloud Security Alliance, of which Glenn is a founding member.  I was intrigued by the document published by the Alliance in April 2009, entitled, “Security Guidance for Critical Areas of Focus in Cloud Computing.”  This initial report from the Alliance outlines “areas of concern and guidance for organizations adopting cloud computing. The intention is to provide security practitioners with a comprehensive roadmap for being proactive in developing positive and secure relationships with cloud providers.”  The report outlines 15 domains or areas of concerns that should be addressed by stakeholders in cloud computing initiatives.

I focused primarily on the section entitled “Domain 13: Identity and Access Management, “ authored by Subra Kumaraswamy, Senior Security Manager, Sun Microsystems and Jim Reavis, Co-founder & Acting Executive Director, Cloud Security Alliance.  The executive summary of the document provided five key recommendations regarding IAM in the cloud:

• The key critical success factor to managing identities at cloud providers is to have a robust federated identity management architecture and strategy internal to the organization.
• Insist upon standards enabling federation: primarily SAML, WS-Federation and Liberty ID-FF federation
• Validate that cloud provider either support strong authentication natively or via delegation and support robust password policies that meet and exceed cloud customer internal policies.
• Understand that the current state of granular application authorization on the part of cloud providers is non-existent or proprietary.
  Consider implementing Single Sign-on (SSO) for internal applications and leveraging this architecture for cloud applications.
• Using cloud-based “Identity as a Service” providers may be a useful tool for outsourcing some identity management capabilities and facilitating federated identity management with cloud providers. For example, they may be useful for abstracting and managing complexities such as differing versions of SAML, etc. Be aware that they become a critical new cloud provider for your organization and must be vetted with this broad guidance document.

Some of the key points I gleaned from the IAM section include:

Supporting today’s aggressive adoption by the business of an admittedly immature cloud ecosystem requires an honest assessment of an organization’s readiness to conduct cloud-based Identity and Access Management (IAM), as well as understanding the capabilities of that organization’s cloud computing providers. …

Standards support for achieving IdM federation with your cloud providers is crucial. … It appears as though SAML is emerging as the leading standard that enables single sign-on (SSO). …

You should understand the cloud provider’s support for user management processes including user provisioning, de-provisioning and overall lifecycle management of users and access in the cloud in an automated way. …

You also need to perform due diligence to assure that the cloud provider’s password policies and strong authentication capabilities meet or exceed your own policies and requirements. …

As a long term strategy, customers should be advocating for greater support of XACML-compliant entitlement management on the part of cloud providers, even if XACML has not been implemented internally. …

A good strategy towards the maturation of your own IdM in order to make it “cloud friendly” is to start enabling SSO within your own enterprise applications, for your existing user base of employees, partners and contractors. …

One of the investments you may consider is an Identity as a Service solution to bridge between cloud providers or even outsource some Identity Mgt functions. …

I will join Sun colleagues on a conference call tomorrow to explore the topic: “What is the same and what is different about the task of integrating a new app when it is in the cloud vs. internal?”  I’ll report back on what we learn from each other.

In today’s hyper-connected, web 2.0 world, it is increasingly crucial for companies to interact with their customers through highly personalized, context-aware, blended services on whatever device or devices those customers choose – the  "screens of our lives."  It seems sometimes that the rising generation of young people have developed intimate relationships with the entire range of online devices.

Perhaps Jeremy Duncan of Zits comic fame, takes this a bit to the extreme.

Technorati Tags: Zits, Mobility, Television, Laptop, OnlineServices

I enjoyed reading Felix Gaehtgens’ recent article entitled "Quick Wins in Identity Management."  The essence of his post is summarized in his second paragraph:

With the current squeeze on cost and corporate spending, many IT departments find themselves in a true quagmire. On one hand, the IT industry is focusing on efficiency like never before – elaborating new approaches and processes to increase efficiency and do more with less. Governance and risk management is a big issue whose lack has greatly contributed to the current crisis. IT is under scrutiny to be more of a business enabler and less of a cost center. All of this requires change, new technology, and strategic vision. But as IT spending is reduced or even capped, this creates a Catch 22 situation. Under pressure, some IT departments try for more tactical approaches that can eventually be expanded into a broader strategy. Quick wins are needed to get there.

It is great to know that in prevailing Identity Management thought, the Quick Win concept is still valid.  Back in June, 2005, I authored a post entitled "Quick Wins for Identity Management," highlighting "Sun’s Quick Win philosophy."  In that article, I proposed:

The value of a quick win project should not be underestimated. A number of advantages can accrue:

• Measurable results are quickly demonstrated
• Project momentum is maintained for future phases
• The likelihood of continual sponsorship is increased
• The system architecture is progressively validated
• Configuration components are more easily reused
• Impact on the enterprise is more easily understood

It is interesting, and not altogether coincidental, that a post I wrote earlier today featured the AegisUSA announcement of "Identity Appliances" to reduce entry costs and accelerate time to value.  The AegisUSA offering is yet another validation that the Quick Win philosophy really does work.

So, let me leave you with Felix’s final words:

As usual, those who take a good long-term view are usually rewarded most in the long run. But when strategic initiatives are out, and the thinking is tactical, the above mentioned areas have shown the potential for quick wins. These quick wins have additional benefits because they can be everybody, but that cannot be an excuse to do nothing – those who are smart and creative will be able to push ahead in front of others. Hopefully these ideas will help you delivering value in these tough times.

… and mine, from the June 2005 article:

We encourage you to make this your philosophy: Segment your Identity Management project into manageable parts. Focus your attention first on the most urgent, most beneficial, most quickly implemented areas of the entire project scope. Drive directly to those areas where you will experience a quick win.

Ladies and Gentlemen, start your engines.

Technorati Tags: Identity, IdentityManagement, DigitalIdentity, QuickWins

Two of the large challenges in the Identity Management market are the cost of entry and time to value.  With their announcement last week of the AegisUSA Identity Solution Continuum, our friends of AegisUSA are focusing on both of those challenges. 

I think the most innovative part of this announcement is the unveiling of appliance-based turnkey solutions "that deliver enterprise-level identity management functionality. Aegis Identity Appliances arefunctional IAM solutions configured to scale for future identity management growth and expansion. Preconfigured Appliances include Password Management, Single Sign-On (SSO), Federated Identity InCommon® Quickstart, and Google Apps Provisioning, with additional point solutions planned in the near future."

Helping companies quickly and easily accrue real value in Identity Management while building a solid foundation for future expansion is a fundamental best practice for Identity Management.  It appears that the AegisUSA approach should bring real value to customers.

Technorati Tags: AegisUSA, Identity, Identity Management, Digital Identity, Appliance

It has been a great few days in San Diego attending the Burton Group Catalyst Conference.  It is always refreshing and invigorating to hear what others have to say, both in formal sessions and in ad hoc conversations.  I previously posted the key points for the sessions I attended on Day 1, Day 2 and Day 3.

Here is my list of the most important ideas or concepts I gleaned from the conference.

1. The biggest challenges facing the Identity Management industry are business issues, rather than technology.
2. Much more discussion focused on the process of Identity Management than the tools of Identity Management. 
3. Discussions about user-centric or user-controlled Identity were focused more on what the practical business models might be, rather than on enabling technology.
4. The quest for business efficiency has perhaps overtaken regulatory compliance as the most important driver for Identity Management.
5. Role management, while still having challenges, is very much in the mainstream of implementation and use.
6. Federation has become a forgone conclusion, rather than a theoretical exercise.
7. Entitlement management is gaining traction, but still needs much much work.
8. Several Identity Services companies are emerging as recognition is growing that Identity as a service is critical to cloud computing.
9. Privacy has emerged as a leading topic in its own right, rather than a subordinate topic within discussions of security and Identity Management.
10. The terminology used within the Identity Management market is still not precise, particularly in areas such as role management and entitlements management.

I’d be happy to discuss any or all of these in more detail.  Please drop me a line and let’s talk.

Thanks for stopping by.

Technorati Tags: Identity, IdentityManagement, DigitalIdentity, Catalyst09, CatalystConference, BurtonGroup