Mike Neuenschwander consented to have his photo taken to headline my blog today, the second of the Catalyst Conference. Lots of information – fifteen pages of notes. I hope these summaries are helpful to you.

Jamie Lewis (Burton) – Internet.net: What Kind of Internet Do We Want and Need?

• We have hit a crossroads in the Internet – what kind of Internet do we want and need?
• There isa crisis of confidence in the Internet (e.g. Phishing has rendered emails from banks unusable for communicating with customers).
• Web 2.0 is the “participatory web”.
• Internet lacks concept of interoperability Identities.

Dave Passmore (Burton) – Net Neutrality

• Network operators can look deep into packets and decide whether it is in their business interest to block or slow down performance for competitive services
• Net neutrality legislation is difficult to write and legislators are reticent to address the subject.
• Network operators are migrating to the IP Multimedia Subsystem (IMS) to replace the Public Switched Telephone Network.

Dan Blum (Burton) – Can we Control the Internet without Killing It?

• Bank of America’s SiteKey is good example of improved security without introducing other physical devices.
• Full spectrum defense includes defense in depth and breath. It must include technology + governance + operations.
• Security must be normal way of doing business.
• Some people think we need a whole new Internet. Don’t expect to see it in next 20 years.

Mike Neuenschwander (Burton) – Identity and Privacy

• Privacy is a key issue
• As you rely on social interactions, you will rely less on Identity
• Trust emerges out of a continuing relationship. If I culture a relationship multiple times over time, the reliability of therelationship will grow and trust will naturally emerge.
• Identity acts as a common pool resource. Drawing on a common pool resource (Identity) to solve a common pool resource problem (Internet) is dangerous.
• If people who use the system are involved in the governance of the system, it works better
• SSL is widely used to create sessions between end points. What is the “SSL” for relationships?

Anne Thomas Manes (Burton) – Next Generation Applications and Services

• Web 2.0 is a term coined by Tim O’Reilly
• Web 2.0 could be called the “participatory web” where individuals can participate in the web using blogs, wikis, mashups (e.g. Craig’s list overlay on Google Maps), social networking (e.g. Linkedin, Orkut, Myspace) and Tagging.
• Whole communities can collaborate.
• To use Semantic Web applications like RDF and Owl, you need to think like a physicist.
• Rich Internet Application technologies (RIA) (e.g. AJAX) seek to improve the user experience.
• New governance models must emerge. Governance by community work in some cases (e.g. Wikipedia).
• User want a consistent experience across sites. In order to do that, events and reputation must persist over time.
• Today – each vendor owns your identity on their site. That probably won’t change.

Mike Neuenschwander (Burton) – Thinking Outside the Domain: The Emergence of User-centric Identity and the Democratization of Federation

• The Internet as many other “commons pool” resources, is falling victim to the propensity for participants to be self serving, rather than beneficial to the whole. Individual/commercial rationality overpowers collective interest.
• A social dilemmas are collaborative action problems, with alternate solutions.
• Collaborative Action Problems are typically solved with strong central governance, but that doesn’t sound like the Internet. Identity management is an strong administrative style suited to clearly delineated domains.
• Other styles of dealing with Identities include User-Centric Identity and a social style, which is less dependent on Identities and more on reputation, relation and reciprocity.
• The User-centric management style relies less on facilitated management, but relies heavily on identity information. This is not replacement for domain-centric management, but an alternal approach.
• Some online properties (e.g. Wikipedia, eBay reputations, online gaming worlds) prosper without strong identity.
• The foundation of cooperation is not really trust, but the durability of the relationship over time.

Panel Discussion – Jamie Lewis (Burton), Kim Cameron (Microsoft), Eve Maler (Sun Microsystems), Dick Hardt (Sxip), Michael Graves (Verisign) – User-centric Identity: Is it Really Identity that We Need to Manage?

Verisign (PIP) Personal Identity Provider (Michael Graves)

• PIP is a home base to start with.
• It now supports OpenID, but will support multiple protocols
• Why should we trust PIP or any service provider? You need to trust someone to get started.
• We must agree on the “rail gauge” that connects people.
• Leverage the URL name space that people know.

Sxip (Dick Hardt)

• DIX is the core of what they are doing at Sxip.
• Use SAML 2.0 for defining messages.
• The user is the hub for data transactions.
• User’s experience must be consistent.
• Convergence of Sxip work and SAML.
• Early in the process, but many companies are partcipating.

Liberty Alliance (Eve Maler)

• Sun has just issued a non-assertion covenant regarding SAML
• Liberty may be perceived as enterprise centric, but is quite comfortable with user centricism.
• Nothing prevents a Liberty circle of trust concept from including the user?.
• User mediated Identity flow is just one use case.
• We must build in the maxium level of security into the architecture, but be able to turn that down as necessary.

CardSpace vs. InfoCard (Kim Cameron)

• InfoCards are visual representation of an Identity. Could be possibly hosted on any platform.
• CardSpace is the Windows implementation.
• The complexity of security layer should be pushed down so no one sees it (like TCP/IP)
• With the user in the middle, the identity provider is decoupled from relying party. These two parties don’t need to know each other.

Jamie Lewis (Burton)

• Quit arguing about the composition of asphalt. Go build some cars.

Bob Blakley (IBM) – Identity and Community in Human Society

• Access to information about us enables power over us, in many situations – Asummetric Information is Power
• Trust builds over time. Betrayal causes distrust.
• Repitition changes the game – maximizes mutual gain.
• We take chances in order to build trust, and build up our trust reality through experience.
• Corporations have a perpetual lifetime and seek to limit liability by laying off risks to investors or others
• People provide money and information to corporations. In exchange, we accept goods and services and assume risk.
• Corporations not capable of intimacy – they don’t value intimacy or trust
• The Identity Metasystem is a terrible idea and must never be built.
• We should build the Meta-Identity System.
• An example of meta Identity data is a wrist band at a nightclub. It shows that you passed the age test to come in, but doesn’t reveal your age.
• We must stop moving identity data around and concentrate on using meta data.

Scott Blackmer (Technology Law & Consulting) – Thinking about the Unthinkable: Managing your Risk Exposure from Security Breaches Involving Protected Personal Data

• Personal information is the latest controlled substance.
• Law and the marketplace expect you to protect personal identifiable information.
• Identity theft is the fastest growing crime in America.
• Identity theft is direct danger to individuals and their employees.
• Almost $50 billion per year in direct business costs and losses due to identity theft.
• One announcement per week of major, mass identity theft.
• California is setting trend in regulation regarding identity theft. 25 other states have adopted similar legislation.
• Heavy penalties for companies that have security breaches. FTC has broad investigative powers.
• Put together incidence response team in advance – speed matters.

Privacy Roundtable – Mike Neuenschwander (Burton), Dan Beckett (Burton), Bob Blakley (IBM), Scott Blackmer (Technology Law & Consulting)

• In over half of identity theft cases, people don’t know where or how the loss occurred.
• Different laws apply to public and private sectors.
• New federal legislation (Financial Data Protection Act) will prevent blocking of credit information unless fraud has occured.
• Only credit reporting companies are regulated under theFair Credit Reporting act.
• Legislation and regulations evolve slowly in response to experiences.
• Biometrics: lots of work going on. Strongly couple people with identification documents (e.g. Passports). Several significant challenges: Cannot guaranteed that all people have the right body part. Sensitivity to environmental conditions. Significant statistical challenges – may have 5000 false positives in a population of 1 million, even if there is four-nines accuracy.
• By March 2008, states must issue IDs, including biometric attributes, under standard federal governments haven’t defined yet.
• Inexpensive methods, such as using laptop cable locks and sending data via fedex or UPS as “high value” packages, can substantially reduce Identity theft.
• Use standard information security methods to protect sensitive Identity information.

Gerry Gebel (Burton) – Federated Identity: Isn’t Everyone Doing It?

• Federation has been talked abut for a long time. We now see significant growth, but is not ubiquitous
• SAML has solidified its position in the market.
• Some successes include an enterprise with up to 50 federation partners and multimillion user deployments outside the telecom industry.
• Obstacles to deployment include lack of awareness, plus concerns about risk, security, liability and audit.
• Burton Group is starting a federation pilot. The project starts in 3Q2006.
• Standards camps (SAML, OASIS WS-SX, Liberty ID-WSF, WS Federation) are making progress.
• Few startups in the Federation space – most are mature companies.
• User centric identity distorts the current model, which has been primarily an enterprise model.

Edmund Yee (Chevron) – Exploring the Role of Federated Identity in the Energy Community

• Chevron is trying to build good connectivity with other companies in the energy industry.
• Seek to share risk of huge capital projects.Business cases include enabling joint operations and third-party collaboration, where companies seek to share risk of huge capital projects, integrating the supply chain from exploration through distribution, and integrating Vendor, Customer, & Service Provider Relationships.
• They considered several technology options, including point to point secure connectivity, private networks, creating and managing third-Party accounts and Identities for each participating company.
• They chose a Community of Interest federation model with a central trust model
• A proof of concept was conducted last October
• A larger pilot system will be deployed this year
• The broader energy industry is staying on the sideline until they see results from an expanded POC.
• If everyone signs up, tens of thousands of companies. Could be very big.

Mike Ferraro, Kishan Mallur (Harvard) – Adapting Centralized Application Security (SSO) to a Federated World

• Tens of thousands of web sites and applications
• Needed to federate with external and internal groups.
• Standard view of federation involves 2 parties: Identity Providers and Service Providers.
• Had many identity providers and service providers. Point to point federation would have been too complex.
• A federation of Identity Services provides a centralized federation service.
• Significant internal pressure to use Shibboleth. External pressure to use liberty. Decided to build their own.
• 90% of their solution is home grown, using open SAML. Interfaces are SAML compliant.
• May consider commercial product if it meets their requirements.

Technorati Tags: Identity,
Digital Identity,
Identity Management,
Catalyst Conference,
Burton Group

New additions to the Whodentity list:

Technorati Tags: Identity,
Digital Identity,
Identity Management,
Whodentity

Today was the first full day of the Burton Group Catalyst Conference. I missed the opening reception last night because I flew in late from a customer meeting in the Midwest. This blog entry summarizes the highlights of the sessions I attended in the Identity Management Track.

Jamie Lewis (Burton) – Identity in Context: The Evolving Business and Social Infrastructure

• We must challenge our assumptions about Identity Management and explore the consequences of what we build.
• Strong authentication only succeeds when it is backed up by an assurnance process.
• Provisioning products have matured; provisioning is going mainstream.
• Role are not a silver bullet. They are one tool among many.
• “Trust” is one of the problems that plagued PKI and now plagues federation.
• Are we too fixated on Identity when it’s relationships that matter?

Mike Neuenschwander (Burton) – Identity Management Market Landscape 2006: Finding a Space in Everyone’s Market Place

• Identity Management is not a winner-take-all market – customers use multiple vendors.
• Identity is not a one time purchase; it is a life style choice.
• IdM has so far resisted centralization of rewards. There are many vendors, in spite of recent acquisitions.
• Some suite vendors (e.g. CA, IBM, HP) are attempting to sell broad suites that encompass Systems Management and Identity Management.
• “Managization” was his coined word of the day – a spoof of just about everything.

Hans Gyllststrom, Steven Roach (Citigroup) – The Architecture of Change

• Citigroup used formal modelling languages and methods to prepare Identity Management deployment and building Identity Services into a SOA infrastructure.
• Formal modelling was used to construct a reference architecture that enabled change.

Mark Diodati (Burton) – Identity Assurance: A Requirement for Identity Management

• The best access management policies are worthless without Identity Assurance.
• Identity Assurance provides a level of confidence that the authenticating user is legitimate.
• Identity proofing methods such as IVR and out-of-band single use passwords have proven effective.
• Identity assurance seeks to bring risk down to a leve we can quantify and manage.

Panel Discussion: Bill Gebhart (UBS), Gerry Gebel (Burton), Mark Diodati (Burton) – Challenges and Lessons Learned in Deploying Authentication

• Consumers want simple, easy and secure – and expect vendors/institutions to provide those qualities.
• Usability is a big consumer issue.
• Employ risk analytics to detect fraud patterns.
• Smart cards are gaining momentum because support is maturing in Windows and contact-less smart cards are emerging.

Martin Vant Erve (TransCanada) – Implementing Enterprise Single Sign-On with Two-Factor Authentication

• Problem: too many digital identities and user authentication systems.
• Implemented Passlogix V-Go for E-SSO and RSA SecurID for Windows for two-factor authentication.
• Deployed to all 3,000 end users in nine months.

Lori Rowland (Burton) – Provisioning: The Vortex of Identity Management

• Identity Management has “crossed the chasm.” We are now selliong to the pragmatists.
• Compliance is the #1 driver, but we overselling Compliance?
• Compliance is how provisioning is sold to uppermanagement, but that is not necessarily how it is actually used. The biggest benefit may be operational efficiency.
• We can now begin do document best practices, based on experience implementing Identity Management.

Kevin Kampman (Burton) – Role Management: Bridging Business and Technology

• Compliance and audit are the primary drivers for roles
• Role Goals: Simplify adminstration and improve match of privileges to responsibilities.
• The real challenge is managing access across multiple environments over some period of time.
• Organizational structures beyond hierarchies, including teams, matrix organizations, and networks should be considered in creating a role framework.
• Focus on simplicity and flexibility.
• Increased role granularity often has diminishing returns.

Q&A: Lori Rowland, Kevin Kampman, Gerry Gebel, Mark Diodati

• Don’t put roles on the critical path.
• Learn to say know when users want more role complexity.
• The size of an organization may not be as important as the complexity of an organization in role definition
• There has been a definite spike in interest in SPML.
• Will SPML V2 become the “esperanto” of the provisioning world?

Case Study – Mike Drazan, Steve Watne (Toro Company) – Provisioningand the Road to Role Refinement

• Used Prodigen Contouring Engine to discover roles.
• Used Sun Identity Manager System to provision privileges
• Reduced roles from 2,000 to 400, primarily by analyzing who really used applications.
• This analysis also sharply reduced the number of people who actually needed access privileges.
• One job type typically included multiple roles (permission sets).

Jamie Lewis (Burton) – Identity Frameworks, Tools and the Emerging Meta System

• Lack of suitable development frameworks and tools for Identity is a substantial obstable to further growth of the Identity Industry
• “It’s the Applications, Stupid.” The real issue is making it easier for developers to create Identity-enabled applications without having to re-create Identity infrastructure.
• Current frameworks, tools and IDEs lack Identity services
• Microsoft has a tradition of strong development tools, but they don’t currently include Identity
• Where is Identity in LAMP?
• Web 2.0 – lots of protocols, no frameworks.
• Liberty Alliance and SAML – no development framework.
• Java Community Process (JCP) – currently at too low level of abstraction.
• Will Higgins emerge as the “Java Rebel Framework?”

The following are remarks by the named persons in an interview session led by Jamie Nelson:

Paul Trevithick (Higgins Project)

• Higgins, an open source project, will produce a framework for developers.
• User centricism implies that a user is in the protocol.
• The reference implementation is in Java. There is pressure from the open source community to implement in C.
• Version 1.0 is expected in mid 2007.
• The project has substantial support from IBM and Novell.
• Shibboleth is an Identity System, not a development framework like Higgins.

Tony Nadali (IBM)

• IBM is involved with the Higgins project because customers are interested in multiple Identity systems.
• IBM is contributing WS* components, context provider components for IBM Directory Services and Lotus Notes directory, Firefox browser extension and IDE components.
• Is the browser a secure placeto have an Identity Selector?
• Some of the browser pieces are being developed in C. Other existing code is Java.
• User-centric applications should provide a 360-degree view of your life without compromising privacy.

Dale Olds (Novell)

• Bandit is an open source project.
• It is collection of software components, not a developer framework.
• Some components are also present in Higgins.
• Internal Novell developers are beginning to consume open source components as part of the normal product-development process.
• Novell expects to leverage Bandit technology in its own Identity projects.
• If developers include Bandit components in their applications, those apps will be more easily managed by Novell’s Identity Management products.

John Shewchuk (Microsoft)

• InfoCard is the concept. Windows CardSpace is a specific selector, using the InfoCard concept.
• Security Token Service (STS) is a new way to access database from the Active Directory repository.
• The Declarative Programming model used in the Windows Communications Framework is designed to free developers from underlying details, hopefully leading to higher development productivity and higher code quality.
• Microsoft’s motivation is to enable interoperability, which will allow them to sell more products into the enterprise space.
• SSO needs to merge with User-centric Identity – allowing user partcipation in federation.

Technorati Tags: Identity,
Digital Identity,
Identity Management,
Catalyst Conference,
Burton Group

New additions to the Whodentity list:

*What in the world has Tony Blair done for Identity Management? His active support of the UK Identity Card system is an example of an influential political leader strongly affecting the direction and growth of the Identity industry. See more in my recent blog.

Technorati Tags: Identity,
Digital Identity,
Identity Management,
Whodentity

James Governor responded to my announcment of the Whodentity list by saying “Your list needs some bad people – we’re only tracking the ‘goodies’. What about the privacy and identity blackhats – people like Tony Blair?”

I must admit that I hadn’t thought of listing government leaders who influence sensitive Identity issues, but I think James has a point.

Googling “‘tony blair’ identity” tonight produced a BBC article entitled “Blair defends identity card plan.” When Tony Blair or any influential political leader advocates a certain position on subjects of interest to the Identity industry, the development and deployment of technology and public policy will inevitably be affected.

Thanks, James for the insight.

By the way, I think Tony Blair is a good person – I just don’t agree with his position on the Identity Card plan.

Technorati Tags: Identity,
Digital Identity,
Identity Management,
Identity Card,
Tony Blair

When I add new people to the Whodentity list, I’ll post the updates here in my blog.

Technorati Tags: Identity,
Digital Identity,
Identity Management,
Whodentity

While creating my blog entries today, I made an interesting discovery. When you look up “Participation Age” in Wikipedia, you get Jonathan Schwartz instead. I suppose the Participation Age is an integral part of his Identity!

Technorati Tags: Identity,
Digital Identity,
Identity Management,
Sun Microsystems,
Participation Age,
Jonathan Schwartz

The CIO Magazine article by Susan Patton, “Who Knows Whom, And Who Knows What?”, about Social Network Analysis (SNA) was particularly interesting to me when I considered it against the related backdrops of Digital Identity and the Participation Age.

The article quotes Valdis Krebs, an SNA expert who founded an SNA software company called Orgnet.com: “SNA can be defined as the mapping and measuring of relationships and flows between people, groups, organizations, computers, or other information- or knowledge-processing entities.”

By mapping how people are connected to and communicate with others in an organization, “Social network analysis provides a clear picture of the ways that far-flung employees and divisions are working together, and can help companies identify key experts in the organization.”

One of the popular uses of SNA is to discover who in a group may be overburdened by too many people asking him or her for help, or who possesses a valuable reservior of knowlege but is about to retire. As you consider your own professional situation, wouldn’t it be interesting to see a social network map of the people with whom you interact … and they interact?

The article primarily addresses SNA within the context of a major business enterprise or government organization. However, it mentions the emergence of popular social networks that exist outside a traditional business environment: “The rise of blogs, online support sites and social networking sites—such as Friendster and LinkedIn—have also helped raise SNA’s profile.”

I perceive that SNA is all about Identities and Relationships. To identify who possess valuable knowledge (an Identity attribute) and who interacts with whom (relationships), SNA attempts to map how people participate within an area of interest.

Over the past many years, I have attempted to record all the people with whom I have interacted in my personal knowlege base, linked to the person who introduced us. It would be an interesting exercise to conduct a social network analysis of sorts to understand how the people with whom I have interacted also interact with others. In the Participation Age, the traditional geographic boundaries that may have limited these interactions have diminished. My typical workday includes active participation with people in several timezones, in multiple organizations. My blog reaches more people than that. Social networks attempt to expand and strengthen such interactive participation. Yesterday alone, I connected with two more people on LinkedIn – another as I was writing this article.

Today, I will unveil a bit of my network, a list of some of the people in the Identity industry who’s blogs or other writings I have studied in my quest for knowledge about Identity Management. This list, entitled “Whodentity?” includes links to bios and blogs of people who have influenced me in the Identity industry. I know few of those people on a personal level, but each is part of my extended network because their knowledge has contributed to mine. Their blogs and writings include links to others.

So … SNA maps people and their relationships with others. Identity Management seeks to leverage Identity attributes to facilitate relationship with others. The Participation Age is all about enabling interactive relationships. Methinks it all ties together.

Technorati Tags: Identity,
Digital Identity,
Identity Management,
Social Network Analysis,
Whodentity,
LinkedIn,
Friendster

Mark Macauley posted an interesting article yesterday, posing the question, “isn’t the root of Identity Management really the ongoing validation of trust?”

“Once we are employed, and verified as a trusted employee, we are then monitored, validated, revalidated, challenged, and tested hundreds of times a day about who we are and are we trustworthy. Firewalls, logins, content blockers, badges, token fobs, biometrics, etc. are all part of this never ending process of maintaining trust.”

It made me remember an article I posted, discussing Masood Mortazavi‘s insights about trust.

Identity is all about trust. Certain parties make claims, other parties seek to validate those claims, — all the processes we talk about — just to make sure that a trusting relationship is established, enabling two parties to engage in commerce or otherwise interact.

But I see in Mark’s discussion a deeper question. Can institutions really “manage” Identities of people who interact with them? Perhaps this is the same question posed in the Customer Relationship Management (CRM) world – Can institutions really “manage” their relationships with their customers?

For example, my previous post mentioned a CRM system implemented by a county in Georgia. Even though their information system is labeled “CRM,” can DeKalb county really “manage” its relationships with its constituents?

One thing the Internet has done is to deflate the notion that institutions can really manage relationships of any type. Companies can build deep reservoirs of information about people and try like crazy to use that data to influence the behavior of those of us they wish to reach, but we are really in control. I like to think that I manage my relationships with the institutions, not the other way around.

And so it should be with Identity. I can acknowledge that Sun Microsystems owns and manages the Identity credentials they issued to me. After all, I get a paycheck from Sun. They pay me to access information systems on their behalf. But my relationship with eBay, Google, Yahoo or Duluth Trading Company (they make great shirts)? I should control my Identity – my relationship of trust – with them.

Technorati Tags: Identity,
Digital Identity,
Identity Management,
Trust,
Duluth Trading Company

I think my summer will be extraordinarily laid back compared with the frenetic schedule of the Identity Woman. It sounds like Kaliya will have her mind full of interesting ideas all summer long. We look forward to hearing about all of them.

Technorati Tags: Identity,
Digital Identity,
Identity Management