This morning’s Privacy Track was the most intellectually stimulating set of sessions for me in the Catalyst Conference.  The blend of theoretical background and practical application of privacy principles was a good combination.  I certainly don’t consider myself a privacy expert, so I learned much and and gained valuable perspective, both the point of view as an Identity Management practitioner and as a person who values personal privacy. Hats off to Burton Group for assembling an excellent set of speakers.

Here are the high points for me:

Privacy: Principles Yield Practice

Bob Blakley (Burton Group)

1. Privacy is not about data, it is about people
2. Protecting privacy means putting oneself in the place of another and understand the consequences of your actions
3. Privacy means different things in different contexts
4. Privacy principles:
1. accountability
2. transparency
3. meaningful choice
4. minimal collection and disclosure
5. constrained use
6. data quality and accuracy
7. validated access
8. security
5. Put principles into context – then derive set of rules
6. IdM systems have much personal data in them.  Are we protecting the dignity of the people I know things about?

Privacy Issues Related to Healthcare and Identity

Speaker: David Miller (Covisint)

1. IAM is not a security thing.  It is a privacy thing.
2. Security is about keeping people out; privacy is about letting the right people in.
3. Electronic Medical Records (EMR) are being dictated by legislation, but have challenges to overcome, including:
1. authentication
2. authorization
3. data exists in many places
4. patient access to records depends on many factors
5. many organizations want access to information
6. regulatory issues
7. legal/tort issues
4. One solution is a central Health Information Exchange (HIE).
5. Several different organizations at the national, state and health care organization level approach HIE’s differently.

Privacy – how to have a productive multi-stakeholder discussion

Robin Wilton (Future Identity Ltd.)

1. Privacy is usually a multi-stakeholder discussion
2. It is difficult for stakeholders to articulate their view of privacy problems in a way that other stakeholders understand
3. Use the "Onion Model" to explore and use levels of importance of personal information
4. Use the "Ladder Model" to facilitate different viewpoints about privacy
5. We are doing all this technical interaction in online networking as if it works the same way as face to face interaction, but it does not.
6. "Privacy management" implies being aware of relationships and contexts, and acting accordingly.
7. Technology is not an automatic answer to privacy.

A Dual Mission: Identity Management and Privacy Protection in the Federal Government

Bob Mocny, Director, DHS-VISIT Program – Department of Homeland Security

1. Identity management is critical to national security
2. US VISIT – check credentials for visitors into
3. 100 million biometric records used for authentication, 200K transactions/day – largest in the world
4. Built privacy into architecture of system
5. Secure facilities and networks are in place to protect privacy
6. Redress process to correct personal information in the system is essential
7. No more important condition between the government and the people it protects than trust
8. US VISIT built trust into the biometric system

Joint Q&A

Bob Blakley (Burton Group)
Bob Mocny (Department of Homeland Security)
Robin Wilton (Future Identity Ltd)
David Miller (Covisint)

1. Privacy-enhancing governance is difficult (e.g. if you request that your PII be deleted from a list, is your PII still on the audit trail?)
2. Much explicit effort and systems are necessary to avoid unitended consequences of amassing large amounts of personal information.
3. People who have grown upon in a hyper-connected, pervasive-surveillance world have tend to have different perspectives of privacy than older people for whom personal information was secret by default.

Partnering via Privacy

Ian Glazer (Burton Group)

1. Increased regulatory action, higher penalties, more people looking at privacy – all increase the attention companies must focus on privacy.
2. Increased reliance on partners requires companies to understand privacy practices of partners.
3. Preform Privacy Impact Assessments (PIA) to determine where we are, how we got here, and how changes can impact risks.
4. PIA – opportunity to look at mission goals, design goals and privacy principles – are they in alignment?
5. Reduce privacy risk by "cleaning your basement"
1. Scary basements (something might be illegal)
2. Messy basements (policy in place, but not well-applied)
6. Procurement process is the best place to ask tough questions about partner privacy practices.

The Watchmen: UCLA & Georgetown Protect and Defend Privacy and Data Security

Heidi Wachs (Georgetown University)

1. Although Georgetown University and UCLA have significant differences in size, organization and operational practices for privacy policy, the incident response process is quite similar
2. Both suffered significant privacy breaches
3. Response depends on what data is actually "acquired" vs. how much was "exposed"
4. Privacy breaches triggered much public press and discussion
5. New policies implemented quickly as a result of the breach have been difficult to implement

How Google Protects the Privacy of Our Users

Shuman Ghosemajumder (Google)

1. Google global design principles: transparency, choice, security.
2. End to end security is an essential part of every Google Service.
3. Google Latitude: make privacy choices very visible and easily assessible, with opt-out at multiple levels.
4. Street view: blur faces and license plates automatically, but allow individuals to request blurring if automated process fails.
5. Interest base advertising: give users control over categories and opt out at different levels of granularity.
6. Gmail: contextual ads caused concern – because of its proximity to and dependence on personal email.
7. Data retention: Google anonymizes IP addresses in logs after 9 months.
8. Google chose paradigm of "opt-in after the fact", rather than offering "opt-in beforehand" to not disrupt the user experience or advertising ecosystem.

Technorati Tags: Identity, IdentityManagement, DigitalIdentity, Catalyst09, CatalystConference, BurtonGroup, Privacy

For a guy whose theatrical credits are limited to an obscure high school play and boy scout skits, this week has been a high point in playing the part of interesting characters.

Last Saturday, I led a Pioneer Day celebration parade dressed as Brigham Young, the Mormon Prophet.  Wednesday night, I dressed the part of a 1980’s rapper in the Sun Microsystems Catalyst Conference hospitality suite.  Thanks to Ian Glazer for the rapper photo and to my wife Claudia for the photo of Brigham on a horse.

Great times!

Technorati Tags: Catalyst09, CatalystConference, BrighamYoung, SunMicrosystems, PioneerDay

Day two of the Catalyst Conference was also packed with good information.   Key points from sessions I attended are included below. 

Please let me know if you would like to discuss any of these topics.

Maximum Value for Minimum Investment: Getting the Most from Your IdM Infrastructure

Mark Diodati (Burton Group)

1. Mid tier vendors growing organically with integrated administration.
2. Just because one product in a suite fits your needs doesn’t guarantee that the other products in the suite fits your needs.
3. Microsoft typically not considered a full IdM vendor, but because Microsoft owns desktop and defacto workflow engine (Exchange) they have a strong potential.
4. Identity services may enable integration of multiple Identity silos – entitlement management, WAM, Provisioning, eSSO …
5. LDAP has emerged as the default protocol of Identity services – the center of the IdM universe.
6. Coexistence of AD, Sun DS, OID, etc., will be with us for a long time.
7. What next? Assess where you are. Play to your strengths. Invest in initiatives that deliver value quickly.
8. Align ERP and IdM stgrategies.

Identity Management: Making It Pay Off at Allstate Insurance

Eric Leighninger (Allstate Insurance)

1. Key goal: manage identities for people, applications and platforms, with digital personae for each.
2. Establish service catalog from which people can request services.
3. Make enterprise directory single source of record – although subordinate directories are used.
4. Built integrated Identity system that addresses internal and customer-facing needs.
5. Started within the enterprise – then worked outward to customers.
6. Identity-based encryption key mangement services will allow them to manage keys as efficiently as users.
7. Will need to consider virtual directory because identity repository environment is getting more complex.

Small Identity Management Project, Big Returns: One Bank’s ESSO Experience

Steven Craige (Bank of the West)

1. Justification for ESSO: reduce time and expense on password change.
2. Goal: single ID with single password.
3. At two year mark, password changes down 33% – all savings may not be attributable to ESSO.
4. ROI target: 48 months.
5. Difficult to get business groups to move apps to ESSO.
6. Getting senior management’s support is essential.
7. Decide what you want to achieve and what you can afford.
8. Chose ESSO as first step – other IdM projects may follow.

Leveraging Active Directory to Improve UNIX Identity Management

Mark Diodati (Burton Group)

1. Companies want centralized policy management of unix and windows systems via windows group policy
2. The market is converging for privileged account management, AD Bridge and Unix Security products
3. Explosive growth in this market is driven by heightened focus by auditors and demand for improving Unix security
4. Efficiency is a major driver: cost reduction, enhanced productivity, sign-on reduction
5. Can a robust IdM system be effectively deployed without securing the operating system first?

Case Study: Bridging the Gap between Active Directory and Non-Windows Systems and Servers

John Matthew (NBC Universal)

1. After failing SOX audits for Unix account management, they found that password policy was not enforced, poor account managment, poor change management and widespread use of resource accounts.
2. Considered off the shelf, open source or "roll your own" options.
3. They chose open source technology (Likewise) because the software was free, but they could buy support.
4. The Likewise product was augmented with a database to keep track of relevant data and scripting to automate repetive processes and wiki to report status.
5. Integrated with IdM system. Workflow manages AD to handle group membership for SOX compliance.
6. Small team (2 guys) did most of the implementation.

Using Identity Virtualization to Mitigate Risk at Sony Pictures Entertainment

Kunal Mittal (Sony Pictures)

1. Business drivers for Virtual Directory: single place to manage and report on Identities, improve data quality, reduce cost of providing Identity services and simplify integration with multiple systems.
2. Technical drivers: provide common view of identity data across different systems, support transition to SOA, offer Identity services to extend to enterprise and SaaS applications.
3. Privacy policy can be enforced at VDS level.
4. The system was implemented by a small team in less than four months.

See no Evil, Hear no Evil, Speak no Evil – Identity Governance

Chris Howard (Burton Group)

1. Tough year – economically, psychologically.
2. Companies are re-imagining their business models.
3. The corporate institution is profoundly dysfunctional in many ways, especially for society’s purposes, but also for capitalism.
4. The corporate institution is ripe for reinvention.
5. Simplification is a myth: large organizations are complex, IT systems are complex and transparency requires simplicity.
6. Simplicity is managed complexity.
7. Obfuscation is borne of complexity.  Some obfuscation is intentional, but most is unintentional. Obfuscation in IT is not a surprise.
8. Forces impacting enterprise IT Externalization (e.g. cloud, outsourcing), Democratization ( how I choose to work) and Consumerization (multiple devices and freedom of choice).
9. Remediating the existing IT environment doesn’t automatically reinvent the corporation.

The “3 Rs of IdM”: Roles, Risk and Regulatory Compliance

David Griffeth, VP Enterprise Identity Management – RBS Citizens Bank

1. Automated provisioning doesn’t equal Identity management
2. Main goals – definition and maintenance of roles and certification of access
3. Involve both system owners and department managers in role defintion
4. Value of roles: access certifications are simpler, compliance is easier, drastic reduction in risk, entire account lifecycle is properly controlled
5. Document roles to enable easy understanding

Making IdM Infrastructure More Transparent

Gerry Gebel (Burton Group)
Mike Rollings (Burton Group)

1. Governance is not possible without transparency.
2. An access and identity governance layer is emerging as distinct from the run time IdM infrastructure services layer.
3. Governance enables a closed loop, including: configure policy, assign privileges, monitor activity, certify environment, determine access.
4. Complexity is the enemy of transparency and friend of the status quo.
5. Several customers are still building their own provisioning systems, based on workflow systems already in place, to work the way their business works.
6. Use business intelligence tools to provide functionality and interface more in line with business person’s perspective.

Security and Governance as Competitive Advantage for SaaS

Tim Madewell (Innotas)

1. Governance is Visibility, Control, Reliability and Predictability.
2. Governance for operations is part of the service in the SaaS model.

Vendor Lightning Round – 2

Tom Smith, CEO – Conformity

1. SaaS management solution
2. centralized  administration, usage analytics and reporting, workflow and process integration

Venkat Raghavan, Director Product Management, Security, Risk and Compliance – IBM

1. IBM Tivoli Securty: delivering on IBM Secuirty Strategy
2. identity and access assurance, data and application security, security management for System z

Andy Han, VP & GM, Products – NextLabs

1. NextLabs product suite 4.5
2. data security in collaborative environments – protecting data on the move

Ulrich Lang, CEO – ObjectSecurity

1. application security policy automation
2. development tool suite add-on

Rohit Gupta, Sr. Director, Product Management – Oracle

1. Service-Oriented Security for Application developers
2. Oracle/Sun will be best IdM system in the world

Jackson Shaw, Quest

1. OneIdentitySolution
2. simplify identity infrastructure around AD

Dieter Shuler, Radiant Logic

1. VDS context edition
2. VDS is abstraction layer between inflexible data stores and appls that want to consume that data

Technorati Tags: Identity, IdentityManagement, DigitalIdentity, Catalyst09, CatalystConference, BurtonGroup

I have thoroughly enjoyed this week at the Burton Group Catalyst Conference in San Diego, California.  It has been good to take the pulse of the Identity Industry, re-connect with old friends and meet new people.  I would have enjoyed attending the Cloud Computing or Mobility tracks this year, but stayed with my old standby, the Identity track.  Key points I gleaned from the sessions I attended are included below.  If you would like to review my complete notes on any session or discuss any of these topics, please send me a comment.

Thanks for stopping by.

2009: Upheaval In The Identity Market

Bob Blakley (Burton Group)

1. The expanding identity universe is changing in three dimensions:
1. scale – moving both to small (SaaS, SMB) and massive (consumers, social networks)
2. control – moving from centralized to distributed (de-perimeterization, outsourcing)
3. focus – moving from business to individual
2. An infrastructure is evolving that will allow us to transform from being just an "account" in a system to being a "person" in a world where physical and virtual worlds are no longer distinct.

Identity Management: No Time Like the Present

Lori Rowland (Burton Group)
Bob Blakley (Burton Group)
Mark Diodati (Burton Group)
Gerry Gebel (Burton Group)
Ian Glazer (Burton Group)
Kevin Kampman (Burton Group)

1. Much more focus on efficiency, short ROI and accelerated time to value.
2. Strong market for IdM during tough economic times; pent up demand will probably fuel growth when economy recovers because organizations have discovered new requirements as they use IdM systems.
3. Oracle acquisition of Sun is strongly impacting the industry.
4. Oracle will probably not abandon the Sun user base.
5. Need to re-define or clarify IdM terms, such as provisioning, roles, entitlement managment and privilege user/account management.  These terms have grown to mean too many things or are ill-defined in the industry.
6. SPML is re-emerging as a potentially important standard.
7. Identity and access governance may emerge as an architectural layer distinct from provisioning and role management.
8. The uptake on role management is tremendous.
9. Federation will be default protocol for cloud computing.
10. Interoperability and integration continue to be large challenges.

Two Billionths of a Second after the Big Bang – Where Is Consumer Identity?

Michael Barrett (PayPal)

1. Many consumers have too many online identities to effectively manage.
2. Consumer Internet interactions are repetitive, frustrating and littered with outdated info.
3. Super scale: billions of Internet users; millions of relying parties.
4. Effective consumer-managed Internet Identity infrastructure is needed.
5. We don’t have a "network effect in action" for consumer Identity, and we need one.
6. The problem not fundamentally about technology; consumer-managed Internet identity will depend on financial benefit for participants.
7. A fourth role in the Internet Identity process may be the "assertion provider" or "attribute broker" (e.g. credit bureaus).
8. PayPal may be interested in being an IdP; other candidates include eBay, Google, Facebook, Microsoft.

The Identity Services Market

Bob Blakley (Burton Group)

1. The value proposition for cloud computing is not lower cost, but time to value.
2. Independent service vendors can provide slices of Identity functionality – customers design how they are packaged together.
3. The market is building with small firms offering discrete billable units in areas such as vetting, provisioning, logon, risk scoring and user experience augmentation.
4. Azigo and Kynetics are examples of enabling users to be "recognized", rather than "interrogated".
5. The "pay as you go" aspect of services will force people to explictly focus on business value, not just technology.

Externalizing Authorization in a large scale Software-as-a-Service Environment

Steve Merritt (Hoover’s, Inc.)

1. Hoover’s need was driven by complex needs for delivering business information to users, based on subscriptions.
2. Requirements included
1. fine grained control
2. flexible – different types of objects, apps
3. complex entitlements
4. dynamic groups
5. centralized administration
6. easy application integration – easy to use API or standard protocol
7. scalable
8. multitenant
9. integration with enterprise IdM solutions
3. Evaluated build vs. buy.
4. Selected Ccisco Enterprise Policy Manager (formerly Securent).
5. Critical element in implementing entitlement management is adapting applications to fine grained policy infrastructure.

The Age of  Identity Oracles

Mary Ruddy (Meristic, Inc.)
Ron Carpinella (Equifax)
Tom Oscherwitz (ID Analytics)
Rick Rubin (OneHealthPort)
Denise Tayloe (CEO, Privo)

1. "Identity Oracles" deliver value individual companies can’t provide for themselves.
2. Achieving critical mass and establishing defacto community standards are essential to adoption.
3. To build critical mass, it can be helpful to bring large group up to a low level of security, rather than a few people to high level of security.
4. These markets will see more government regulation unless the industry can demonstrate it can self-regulate.
5. Many solutions failed because they don’t walk line between assurance and usability.

Roles: The Real, the Imaginary, and the Broken

Kevin Kampman (Burton Group)

1. Speaking as voice from the customer, based on feedback from customers.
2. Vendor products tend to be focused on a particular aspect, but not the whole space.
3. Tools tend to be oriented toward technologists, not the business community.
4. Efficiency and compliance are still major drivers.
5. Governance of role management initiatives is essential – usually in concert with overall Identity Mangement governance.
6. Execution is a classic project management challenge: identify scope, manage priorities, establish metrics, recognize challenges.
7. Many people, from business and technology viewpoints, must work together effectively to achieve success.
8. Roles brings value to downstream processes like provisioning and entitlement management.
9. To start, pick well-understood domains, with fairly stable populations, where there is a real problem to be solved.
10. Quality data is critical – you must be able to rely on it.

Empower the Business with Identity Management

Robert Amos (NuStar Energy)

1. Funded project based on efficiency for HR department.
2. Managers and role owners must agree to new process.
3. Work with simple role structure first.

Role Management – Leveraging the Investment

Paul Rarey (Safeway, Inc)

1. Focus on highest value: using 25 roles addressed 60% of the problem.
2. Choose roles by focusing on high volume of people change and malleability of business process.
3. The identity warehouse, which holds trusted and aligned Identity data from multiple sources, provides the foundation.
4. Roles support more than RBAC; they support good decision making: is right person in the right place doing the right thing?

The Intersection of Roles and Entitlement Management

Kevin Kampman (Burton Group)
Alice Wang (Burton Group)

1. Assigning entitlements directly to users doesn’t scale, lacks flexibility, is not agile and increases compliance risk.
2. Policy: glue that binds roles to, or divorces roles from, entitlements.
3. XACML is a reference model for separating authorization processing out of application, but is not the only one.
4. Bottom line goal for entitlement management: control access efficiently, with clarity, in compliance with regulations.
5. Roles facilitate meaningful conversations between different consituencies.
6. Roles are off to the races … entitlement management is learning to walk.
7. How many roles are effective? It comes back to how many to manage effectively.
8. A role/rule based system is a good way to balance the problem of too many roles.

Role Management Evolution

Ed Coyne (SAIC, Veteran’s Health Administration)
Alan O’Connor (RTI International)
Paul Rarey (Safeway, Inc)
Robert Amos (NuStar Energy)
David Laurance (JPM Chase)
Kevin Kampman (Burton Group)

1. NIST is preparing to update a 2002 study on economic returns to IT and business from using role based access technologies and methods to look at where wins have occurred and economic benefit can be improved.
2. Roles can be used as organizing principle for defining, provisioning and interpreting user access and related information.
3. To effectively define roles, we must talk in the context of business process and workflow.
4. The term "role" has come to have several different meanings in different contexts.
5. Standards may be helpful for RBAC systems to interoperate.

Technorati Tags: Identity, IdentityManagement, DigitalIdentity, Catalyst09, CatalystConference, BurtonGroup

Tomorrow, July 30th, is the seventh anniversary of the day the Sarbanes-Oxley act took effect in the United States.

I recently undertook a project to create a white paper entitled, "Identity and Access Management: Enabling Sarbanes-Oxley Compliance", drawing heavily from earlier Sun white papers, plus adding additional material about best practices for Sarbox compliance.  The paper provides an up-to-date and more comprehensive treatment of the subject than we had available in existing Sun collateral.

So, in celebration of the Sarbox anniversary, and coinciding with the Burton Group Catalyst Conference I am attending this week, I present this white paper for your review.  It hasn’t yet found its way to the "official" Sun website where it will be shortly, but you can download a complete .pdf copy from this site.

It was heartening to note that I heard nothing at the Catalyst Conference that would challenge my selection of the most important best practices for using Identity and Access Managment Principles in securing Sarbox compliance.  Here is my recommend list of best practices:

1. Understand requirements.
2. Recognize IT’s critical role.
3. Understand the role of IAM.
4. Think program, not project.
5. Develop a strategy.
6. Establish a governance process.
7. Implement your strategy in phases.
8. Give real-time visibility.
9. Unify disparate compliance efforts.
10. Assess progress and adjust as necessary.

After you have a chance to read the paper, please let me know what you think.  I’d be happy to answer any questions or feedback you have.

Technorati Tags: Sarbanes-Oxley, Sarbox, SOX, Compliance, Identity, IdentityManagement

In her Network World column earlier this week, Linda Musthaler described a fairly new technology called "tokenization" that is gaining interest from organizations that have much to lose from data breaches, such as credit card merchants and financial institutions.  She uses the example of payment card data to describe how the tokenization process works:

"A merchant has a point of sale system where customers swipe their credit or debit cards to initiate a payment transaction. Among the information from the magnetic stripe on the back of the card is a 16 digit number called the primary account number (PAN). Any thief who can gain access to the PAN has enough information to use the card data fraudulently. The PAN (i.e., the cardholder data) is sent to a token server where it is encrypted and placed into a secure data vault. A token is generated to replace the PAN data in the merchant’s storage systems or business applications. If the merchant needs access to the original cardholder data again — say to issue a refund on the credit card — the merchant is authorized to reach into the secure data vault to look up the PAN again."

What benefit does this provide to companies?

"First and foremost, it takes highly sensitive data out of the business processes that would use customer data. This reduces the likelihood that the real data can be stolen off of servers or from applications. If a thief steals tokenized data, he can’t use it to retrieve the real data, since he isn’t authorized to access the secure data vault. Instead, he ends up with a bunch of random numbers that don’t mean anything to him."

Linda also refers to a post on CreditCards.com by Jay Mcdonald, who explores the potential for tokenization to increase credit card security.  Quoting Randy Carr, vice president of marketing for Shift4, developer of a commercial tokenization technology, Jay writes:

"Carr believes the game-changer in the equation is today’s hacker. ‘These aren’t college students doing it anymore; they’re ex-Soviet operatives, and they’re serious guys. They’re not there to get 20 card numbers; they’re there to get 100 million card numbers,’ he says.

"Their purpose, Carr says, is not to purchase golf clubs, but to fund terrorism, which may explain why the FBI and other intelligence agencies have been inviting Carr and his counterparts for tea."

It will be interesting to see how this technology is deployed or adapted in the next few years.  Perhaps the recent hacking of government computer systems will accellerate federal government interest.

Technorati Tags: security, informationsecurity, tokenization

Recently, I have been working on a white paper addressing best practices for using Identity and Access Management software in meeting regulatory compliance requirements.  Sunday morning, I gained a new perspective on best practices for compliance from the Dilbert comic strip.

Perhaps I should publish my white paper in comic strip format!

Technorati Tags: Identity, IdentityManagement, DigitalIdentity, Dilbert, Compliance

My wife looked up incredulously from her desk as the music started. "That is a bit out of character for you, isn’t it?" she asked.

Well, it was just the soundtrack to the latest outlandish creation of Sun’s product manager extraordinaire, the "Smoking Monkey" himself, Daniel Raskin. A clever video to introduce the newly released "Fedlet for .NET."

You can access the new Fedlet by downloading OpenSSO Enterprise Update 1.

Then, in words of those famous founts of curmudgeonly wisdom, Statler and Waldorf, "Play it again!"

Technorati Tags: OpenSSO, Fedlet, Sun Microsystems, Identity, IdentityManagement, DigitalIdentity

Today market the official launch of the Kantara Initiative, "a new organization formed to solve the harmonization and interoperability challenges that currently exist among identity-enabled enterprise, Web 2.0 and Web-based applications and services. Kantara Initiative has been founded to collaboratively foster the innovation required for broad adoption of interoperable identity-enabled solutions across industries, regions and fixed and mobile networks."

Roger Sullivan, vice president Oracle Identity Management, has been elected president of the 2009 Kantara Initiative Board of Trustees.  Sun Microsystems is an initial member of the Board of Trustees.

I look forward to participating in this initiative as it moves forward.

Technorati Tags: Sun Microsystems, Identity, IdentityManagement, DigitalIdentity, Kantara, Oracle

A pervasive theme in the just-concluded JavaOne conference was the need for context-aware personalization of the user experience in a hyper-connected world.

For example, Ericsson’s overview presentation advised, "it’s about people" and "it’s all about me, me, me."

"Our kids will grow up in connected world," observed Dan’l Lewin of Micrsosoft.  "… I need to connect to things that matter most from wherever I am."

At that heart of making this all happen is Identity – enabling highly personalized, time-and-space-sensitive answers to fundamental questions:

• Who am I?
• Where am I?
• What "hat" am I currently wearing?
• What  is top of mind to me right now?
• With whom do I wish to connect?
• What device am I using?
• How do I want to participate in cyberspace – at this very moment?

However, as important as Identity is in answering these questions in a highly-personalized, hyper-connected experience, a user shouldn’t have to think about Identity.  A person should be immersed in the personal experience, not distracted by whatever mechanisms provide secure, personalized access to the services and applications that deliver the experience.  Identity must be an integral, intuitive, unobtrusive part of the entire experience.  It must be so natural and easy to use that it fades into the background of any task. 

Identity is rightfully the focal point for the Identity Management professional community.  But one measure of our ultimate success will be how little users have to think about it.

Technorati Tags: JavaOne, Identity, IdentityManagement, DigitalIdentity, Hyperconnectivity, Context, Personalization