I always enjoy learning about a new Identity Management blog. Today, please joining me in welcoming Chad Russell, an Oracle colleague and good friend who hails from the great state of Arkansas, into the blogsphere.  He recently launched a new Identity Management blog, “Brave New Identity – Identity Happenings from the Field.”  His last four posts are both relevant and interesting:

• 3 Hot Trends in IDM (Part 1 of 3)
• Why Provisioning Is Really An Authorization Problem
• Auditing the Cloud
• Amazon boosts IdM offering for cloud

I’m particularly looking forward to learning what Hot Trends 2 and 3 are.

You can also follow Chad on Twitter at @chadrussell_idm.

By the way, the young man up in the corner is Chad’s son, proclaiming, “Love the site, Pops!“

One of the big questions in modern Identity and Access Management continues to be: “Is it better to choose individual point solutions and integrate them in my enterprise, or should I choose a complete IAM platform?

I recently learned of an intriguing Research Brief published by the Aberdeen Group, entitled, “IAM Integrated: Analyzing the ‘Platform’ versus ‘Point Solution’ Approach.” Aberdeen’s conclusion:

Based on more than 160 respondents from its Managing Identities and Access study (February 2011), Aberdeen’s analysis of 32 enterprises which have adopted the vendor-integrated (Platform) approach to identity and access management, and 39 organizations which have adopted the enterprise- integrated (Point Solution) approach, showed that the vendor-integrated approach correlates with the realization of significant advantages.

The most significant advantages realized by organizations adopting the Platform approach to Identity and Access Management, as compared to those adopting the Point Solution approach, include:

• Increased end-user productivity
• Reduced risk
• Increased agility
• Enhanced security and compliance
• Reduced total cost

Aberdeen’s research also confirmed the merits of a pragmatic “Crawl, Walk, Run” approach as the basic template for successful enterprise-wide initiatives involving Identity and Access Management, similar to what I have been recommending for years.

• Adopt a primary strategic focus.
• Put someone in charge.
• Prioritize security control objectives as a function of requirements for risk, audit and compliance.
• Establish consistent policies for end-user identities and end-user access to enterprise resources.
• Standardize the workflow for the IAM lifecycle, including workflow-based approval for exceptions.
• Standardize audit, analysis and reporting for IAM projects.
• Evaluate and select IAM solutions.

Do you have a secret Identity, an alter-ego, a second (or third) personality manifesting itself secretively in cyberspace?  If so, you must be a superhero, according to Ziggy (aka Zigmeister), our ever-erudite philosopher.

On December 10, 2009, I posted a short piece on this blog about Trufina, a company providing online identity verification services.  For a long time, I had a visible Trufina badge on the blog, so someone could click on it to verify that I was, indeed, the very Mark Dixon I claimed to be.  Since no one expressed interest, I took the badge off my main page.

Just this week, over 18 months later, one person actually clicked on the link in my December 2009 post and requested verification of my identity – not so much that he was interested in my identity as he was in the process of validating online identities.

I have concluded that this dearth of activity must have something to do with the following:

1. My blog is rarely read.
2. People aren’t interested in Trufina.
3. People just don’t care about validation of online identities.
4. A combination of the above.

By the way, I have never received a single request from someone via Tru.ly, the similar service whose badge I now display on the right most column of this blog. But I must be patient.  I just signed up for Tru.ly in March, 2011.  I have 14 more months before I can really compare the popularity of Tru.ly and Trufina.

Last week, I attended a week-long training session focused on Oracle’s new directory services product, Oracle Unified Directory.  A direct descendant of the Sun Microsystems OpenDS project, OUD is the next-generation Java-based directory product we have been anxiously anticipating for a long time.  This webinar is the first public unveiling of this exciting new product.

I had an interesting Twitter conversation recently with @steve_lockstep and @NishantK about Identity Assurance.  It began with Steve’s comment about how Facebook identities were of little worth, unfit to use with valuable transactions.  Nishant suggested that most Relying Parties (RP’s) are content with “soft” identities that have to with personal likes and interests, while significantly fewer RP’s rely on “hard” identities.

Nishant’s observation about “hard” and “soft” identities made me think of the Mohs Mineral Hardness Scale, which assigns an “absolute” hardness value to different minerals.  Wikipedia’s article uses the following table to illustrate this concept:

Perhaps we could suggest a corresponding mineral and hardness value to each of NIST’s standard four Levels of Assurance (LOA) shown in the following table.

Steve stated on Twitter that “I’m preoccupied with hard identity: doctors, lawyers, bank accts, patients”: scenarios where Facebook just doesn’t work. We could say that Steve is dealing in diamonds (level 4), but Facebook only offers talc (level 1).  Having a tangible example helps illustrate the somewhat ethereal LOA concept.  And over time, perhaps we can come up with a more definitive way to measure just how hard a particular Identity Assurance process really is.

As a parting thought: I have suggested minerals match NIST Assurance Levels 1 and 4.  What would you suggest for the other two?

On June 14th, the PCI Security Standards Council announced publication of the PCI DSS Virtualization Guidelines Information Supplement, which “provides guidance to those in the payment chain on the use of virtualization technology in cardholder data environments in accordance with PCI DSS.”

The introductory section in this document outlines four principles associated with the use of virtualization in cardholder data environments:

1. If virtualization technologies are used in a cardholder data environment, PCI DSS requirements apply to those virtualization technologies.
2. Virtualization technology introduces new risks that may not be relevant to other technologies, and that must be assessed when adopting virtualization in cardholder data environments.
3. Implementations of virtual technologies can vary greatly, and entities will need to perform a thorough discovery to identify and document the unique characteristics of their particular virtualized implementation, including all interactions with payment transaction processes and payment card data.
4. There is no one-size-fits-all method or solution to configure virtualized environments to meet PCI DSS requirements. Specific controls and procedures will vary for each environment, according to how virtualization is used and implemented.

After giving an overview of virtualization, the report sets forth a detailed review of risks inherent in a virtualized environment and specific recommendations about how to deal with those risks.

The document’s appendix describes in detail how each of the 12 broad PCI security controls that are mandated for logical environments need to be applied in a virtual setting.

I have long thought the PCI DSS specification to be a good example of how an industry regulates itself.  The Virtualization Guidelines document shows once again how the payments industry is in step with recent trends in Information Technology.

An interactive “Provider Guide” provided by JanRain shows what personal profile data maintained by popular social networks is available to applications that connect to these networks.  It is not surprising that Facebook offers the most information; LinkedIn is second in terms of available profile attributes.

With these many attributes about subscriber identities available through published API’s, it isn’t surprising how the stock market placed a huge premium on LinkedIn, and will presumable do the same with Facebook.  Perhaps the most valuable attributes are the connections to other people – friends on Facebook, contacts on LinkedIn.  The Network Effect arising from the interconnectivity of all those online members triggers extreme value momentum, particularly when all those relationships can be exposed to third parties.

I was intrigued by a headline I read this morning, “How Facebook Can Put Google Out of Business,” by Ben Elowitz (@elowitz), co-founder and CEO of Wetpaint.

Elowitz started by stating his admiration for Google:

I used to envy Google and the vast digital empire that Schmidt commanded.  Google had one of the most intricate monopolies of all time. It had the most impressive dataset the world had ever seen; the most sophisticated algorithm to make sense of it; an audience of a billion users expressing their interest; and more than a million advertisers bidding furiously to reach those consumers at just the right moment.

What’s more, it had captured the ultimate prize: increasing returns to scale. Only Google could spread such huge R&D costs among an even more humongous query volume, all while offering advertisers the chance to reach most of the population with one buy. Google had earned its success.

However, he as concluded that Facebook offers more inherent value than Google, and can beat Google at its own game:

While Google has amassed an incredible database consisting of the fossilized linkages between most Web pages on the planet, Facebook possesses an asset that’s far more valuable—the realtime linkages between real people and the Web.What does this mean, and what are the implications here?

Well, in a nutshell, Facebook has stored a treasure trove of distinctive data that, if fully utilized, could put Google out of business.

I’m not astute enough to predict whether Facebook or Google will win, but I believe Elowitz has identified an important distinction between the inherent value of linkages:

“linkages between real people and the Web” [and, I might add, linkages between real people] –  primary Facebook value

or

“linkages between Web pages” – primary Google value

We call linkages between people “relationships”. In my previous post, each line on my LinkedIn connection map represents a real life relationship. Some of my Linkedin relationships are closer in real life than others, just like some of my Facebook “friendships” are closer than others.  But they are real.  They do exist.

My real-life relationships represented by Facebook or LinkedIn have inherent value to me.  Both Facebook and LinkedIn provide real value to me through the services they provide.

Google has proven that there is great business value in “linkages between web pages”.  I believe companies like Facebook and LinkedIn are beginning to how to business value can be derived from “linkages between people”.  Google is clearly trying to catch up in the relationships business, where Eric Schmidt admits they have failed.

It will be interesting to see how they, and other companies of their ilk, will continue to succeed for fail in business as they leverage (in a positive sense) their understanding of my relationships, hopefully without exploiting (in a negative sense), the private information I entrust to them.

I discovered an interesting white paper this morning, entitled, “Personal Data: The Emergence of a New Asset Class,” published by the World Economic Forum. The introductory page describes the issue:

This personal data – digital data created by and about people – is generating a new wave of opportunity for economic and societal value creation. The types, quantity and value of personal data being collected are vast: our profiles and demographic data from bank accounts to medical records to employment data. Our Web searches and sites visited, including our likes and dislikes and purchase histories. Our tweets, texts, emails, phone calls, photos and videos as well as the coordinates of our real-world locations. The list continues to grow. Firms collect and use this data to support individualised service-delivery business models that can be monetised. Governments employ personal data to provide critical public services more efficiently and effectively. Researchers accelerate the development of new drugs and treatment protocols. End users benefit from free, personalised consumer experiences such as Internet search, social networking or buying recommendations.

And that is just the beginning. Increasing the control that individuals have over the manner in which their personal data is collected, managed and shared will spur a host of new services and applications. As some put it, personal data will be the new “oil” – a valuable resource of the 21st century. It will emerge as a new asset class touching all aspects of society.

The report uses a definition of personal data provided by the World Economic Forum in June 2010:

Personal data is defined as data (and metadata) created by and about people, encompassing:

• Volunteered data – created and explicitly shared by individuals, e.g., social network profiles.
• Observed data – captured by recording the actions of individuals, e.g., location data when using cell phones.
• Inferred data – data about individuals based on analysis of volunteered or observed information, e.g., credit scores.

The report concludes:

Personal data will continue to increase dramatically in both quantity and diversity, and has the potential to unlock significant economic and societal value for end users, private firms and public organisations alike.

The business, technology and policy trends shaping the nascent personal ecosystem are complex, interrelated and constantly changing. Yet a future ecosystem that both maximises economic and societal value – and spreads its wealth across all stakeholders – is not only desirable but distinctly possible. To achieve that promise, industries and public bodies must take coordinated actions today.

Five major recommendations are explored in depth:

1. Innovate around user-centricity and trust
2. Define global principles for using and sharing personal data
3. Strengthen the dialog between regulators and the private sector
4. Focus on interoperability and open standard
5. Continually share knowledge

As both an owner of personal data and as an Identity and Access Management practitioner, I find this subject compelling and timely.  The white paper is certainly worth the read.