I think there is a propensity to think that “Identity attributes”  are strictly limited to those stored in a directory user object.  That focus is too narrow.  While it may be that the “Identity Management System” only knows about those attributes, the sum total of real Identity information can be much broader.  This broader view of Identity is essential if we hope to leverage Identity Management to enable innovative business models.

For example, if I am an online vendor hoping to leverage user Identities to provide a highly personalized user experience for my customers, I must not rely only on the user object in the authentication directory.  A more rich set of Identity data comprising history, preferences and real-time context must be considered. This information may reside in multiple repositories.

Just my thoughts.  What do you think?

Features and functions, speeds and feeds are not front and center in the dialog.  The main topic of conversation tends to revolve around the best practices for using IAM to business advantage.  What have we collectively learned that will make success easier to achieve and more predictable?

In the maturing IAM industry, we have made great strides in learning how to install and configure IAM technology.  Many companies have learned how to derive business value from IAM.  Unfortunately, we haven’t done a good job of consistently documenting and sharing the experiences we have all gained in making it all really work. We have not consistently distilled experience gained into prescriptive recipes for success.  Customer success stories provide good anecdotal evidence, but fall short of being prescriptions for success.  We have precious few white papers that focus on how to make things work, rather than on extolling features and functions.

It would be an interesting exercise to interview a wide range of companies that have implemented IAM, derive from that body of collective knowledge what really works and what doesn’t, and present that information in a set of best practices that can help others succeed.  Book idea? We’ll see.

More than 70 percent of the organizations in the study have suffered one or more breaches of PHI within the last 12 months. …

Insiders were responsible for the majority of breaches, with 35 percent snooping into medical records of fellow employees and 27 percent accessing records of friends and relatives.

Some interesting statistics:

Top breaches in the past 12 months by type:

• Snooping into medical records of fellow employees (35%)
• Snooping into records of friends and relatives (27%)
• Loss /theft of physical records (25%)
• Loss/theft of equipment holding PHI (20%)

When a breach occurred, it was detected in:

• One to three days (30%)
• One week (12%)
• Two to four weeks (17%)

Once a breach was detected, it was resolved in:

• One to three days (16%)
• One week (18%)
• Two to Four weeks (25%)

79% of respondents were “somewhat concerned” or “very concerned” that their existing controls do not enable timely detection of breaches of PHI

52% stated they did not have adequate tools for monitoring inappropriate access to PHI

The report’s conclusion was not surprising:

Respondents who indicated strong satisfaction with their monitoring tools also tended to report fewer breaches of PHI and faster resolution times. The reverse is also true: respondents who indicated dissatisfaction with their monitoring tools tended to report more breaches and longer resolution times.

This complimentary Webcast will show how the Oracle identity platform can:

1. Mobilize and complete your identity management project
2. Coexist with or replace your existing identity management point solution
3. Reduce security risk and improve regulatory compliance

• Identity Management 11g: A Giant Leap in Identity Management
• Addressing Access Governance with Oracle Identity Analytics 11g

If you plan to be in Arizona on the 22nd, please drop by and join us!

Oracle Identity Analytics can help … really!

Today I sat through a presentation that depicted IAM in the traditional context, as something that would improve compliance, increase operational efficiency and enhance security.  While these drivers are still valid, I couldn’t help but contrast those two views.

On one hand, IAM is considered to be very defensive in nature, necessary but burdensome.  On the other hand is an innovative vision that IAM is first and foremost a proactive, offensive weapon and business enabler, secondarily a protective shield.

Can you tell where I’d rather play?

So, please learn your password … or try out Oracle ESSO!

The first product offering is the addition of Identity Federation to AWS Identity and Access Management Services, which gives customers:

the ability for you to use your existing corporate identities to grant secure and direct access to AWS resources without creating a new AWS identity for those users. This capability enables you to programmatically request security credentials, with configurable expiration and permissions, that grant your corporate identities access to AWS APIs and resources controlled by your business.

The second offering, “AWS GovCloud,” offers:

a new AWS Region designed to allow U.S. government agencies and contractors to move more sensitive workloads into the cloud by addressing their specific regulatory and compliance requirements.

I find it intriguing that the same company that pioneered the industries of online book retailing and ebooks, is so innovative in cloud services and Identity Management.  Plus, I was able to order an new cordless drill from the comfort of my hotel room in San Mateo last night!  Thanks to Amazon and UPS, I think the drill will arrive Arizona before I do this week.

• 3 Hot Trends in IDM (Part 1 of 3)
• Why Provisioning Is Really An Authorization Problem
• Auditing the Cloud
• Amazon boosts IdM offering for cloud

I’m particularly looking forward to learning what Hot Trends 2 and 3 are.

You can also follow Chad on Twitter at @chadrussell_idm.

By the way, the young man up in the corner is Chad’s son, proclaiming, “Love the site, Pops!“