I was intrigued by a headline I read this morning, “How Facebook Can Put Google Out of Business,” by Ben Elowitz (@elowitz), co-founder and CEO of Wetpaint.

Elowitz started by stating his admiration for Google:

I used to envy Google and the vast digital empire that Schmidt commanded.  Google had one of the most intricate monopolies of all time. It had the most impressive dataset the world had ever seen; the most sophisticated algorithm to make sense of it; an audience of a billion users expressing their interest; and more than a million advertisers bidding furiously to reach those consumers at just the right moment.

What’s more, it had captured the ultimate prize: increasing returns to scale. Only Google could spread such huge R&D costs among an even more humongous query volume, all while offering advertisers the chance to reach most of the population with one buy. Google had earned its success.

However, he as concluded that Facebook offers more inherent value than Google, and can beat Google at its own game:

While Google has amassed an incredible database consisting of the fossilized linkages between most Web pages on the planet, Facebook possesses an asset that’s far more valuable—the realtime linkages between real people and the Web.What does this mean, and what are the implications here?

Well, in a nutshell, Facebook has stored a treasure trove of distinctive data that, if fully utilized, could put Google out of business.

I’m not astute enough to predict whether Facebook or Google will win, but I believe Elowitz has identified an important distinction between the inherent value of linkages:

“linkages between real people and the Web” [and, I might add, linkages between real people] –  primary Facebook value

or

“linkages between Web pages” – primary Google value

We call linkages between people “relationships”. In my previous post, each line on my LinkedIn connection map represents a real life relationship. Some of my Linkedin relationships are closer in real life than others, just like some of my Facebook “friendships” are closer than others.  But they are real.  They do exist.

My real-life relationships represented by Facebook or LinkedIn have inherent value to me.  Both Facebook and LinkedIn provide real value to me through the services they provide.

Google has proven that there is great business value in “linkages between web pages”.  I believe companies like Facebook and LinkedIn are beginning to how to business value can be derived from “linkages between people”.  Google is clearly trying to catch up in the relationships business, where Eric Schmidt admits they have failed.

It will be interesting to see how they, and other companies of their ilk, will continue to succeed for fail in business as they leverage (in a positive sense) their understanding of my relationships, hopefully without exploiting (in a negative sense), the private information I entrust to them.

I discovered an interesting white paper this morning, entitled, “Personal Data: The Emergence of a New Asset Class,” published by the World Economic Forum. The introductory page describes the issue:

This personal data – digital data created by and about people – is generating a new wave of opportunity for economic and societal value creation. The types, quantity and value of personal data being collected are vast: our profiles and demographic data from bank accounts to medical records to employment data. Our Web searches and sites visited, including our likes and dislikes and purchase histories. Our tweets, texts, emails, phone calls, photos and videos as well as the coordinates of our real-world locations. The list continues to grow. Firms collect and use this data to support individualised service-delivery business models that can be monetised. Governments employ personal data to provide critical public services more efficiently and effectively. Researchers accelerate the development of new drugs and treatment protocols. End users benefit from free, personalised consumer experiences such as Internet search, social networking or buying recommendations.

And that is just the beginning. Increasing the control that individuals have over the manner in which their personal data is collected, managed and shared will spur a host of new services and applications. As some put it, personal data will be the new “oil” – a valuable resource of the 21st century. It will emerge as a new asset class touching all aspects of society.

The report uses a definition of personal data provided by the World Economic Forum in June 2010:

Personal data is defined as data (and metadata) created by and about people, encompassing:

• Volunteered data – created and explicitly shared by individuals, e.g., social network profiles.
• Observed data – captured by recording the actions of individuals, e.g., location data when using cell phones.
• Inferred data – data about individuals based on analysis of volunteered or observed information, e.g., credit scores.

The report concludes:

Personal data will continue to increase dramatically in both quantity and diversity, and has the potential to unlock significant economic and societal value for end users, private firms and public organisations alike.

The business, technology and policy trends shaping the nascent personal ecosystem are complex, interrelated and constantly changing. Yet a future ecosystem that both maximises economic and societal value – and spreads its wealth across all stakeholders – is not only desirable but distinctly possible. To achieve that promise, industries and public bodies must take coordinated actions today.

Five major recommendations are explored in depth:

1. Innovate around user-centricity and trust
2. Define global principles for using and sharing personal data
3. Strengthen the dialog between regulators and the private sector
4. Focus on interoperability and open standard
5. Continually share knowledge

As both an owner of personal data and as an Identity and Access Management practitioner, I find this subject compelling and timely.  The white paper is certainly worth the read.

When I hear a message that begins, “We’re from the government, and we’re here to help,” I am naturally suspicious.  My political philosophy, based on personal freedom, individual responsibility and natural consequences, is all too often infringed upon by over-reaching, even if well-intentioned, government mandates.  So, when I first learned of the “National Strategy For Trusted Identities In Cyberspace,” I quite naturally envisioned the typical government movement towards stronger control, greater regulation and reduced freedom.

These goals will require the active collaboration of all levels of government and the private sector  The private sector will be the primary developer, implementer, owner, and operator of the Identity Ecosystem, which will succeed only if it serves as a platform for innovation in the market. The Federal Government will enable the private sector and will lead by example through the early adoption and provision of Identity Ecosystem services. It will partner with the private sector to develop the Identity Ecosystem, and it will ensure that baseline levels of security, privacy, and interoperability are built into the Identity Ecosystem Framework.

That said, I include here some key points from the document.  A user-centric “Identity Ecosystem” is proposed – an online environment where individuals and organizations will be able to trust each other because they follow agreed upon standards to obtain and authenticate their digital identities—and the digital identities of devices. 

Congratulations to my good friend Alan Norquist, whose company Veriphyr was named a “Cool Vendor in Identity and Access Management” by in a recent Gartner report.  Veriphyr offers an on-demand SaaS service that “analyzes identities, privileges, and user activity to detect violation of access control down to the record level to deter snooping into sensitive data.” 

I received Alan’s email informing me of this recognition earlier today – ironically just two days after I posted an article about the business benefits of Identity and Access Intelligence.  Here is Veriphyr’s definition of Identity and Access Intelligence:

Identity and access intelligence (IAI) is a new category of SaaS application that uses advanced data analytics to mine identity, rights, and activity data for intelligence that is useful not only for IT operations, but also for broader business operations. What is new about IAI is its focus on the needs of the business manager, who typically has the best knowledge of what resources their direct reports should or should not be accessing, when they should be accessing it, and how much resource utilization is appropriate. IAI informs the identity and access management process (IAM) in a way that provides rapid value to business managers and generates the buy-in from business stakeholders that is needed for a successful project implementation.

I predict that this segment of the Identity and Access Management market will grow rapidly, as enterprises seek to gain actionable intelligence from their growing mountains of available Identity and Access data.

It was almost two months ago when I first mentioned on this blog the term coined by Gartner, “Identity and Access Intelligence.”  I have been thinking much lately about the real business value enterprises can derive from this discipline, and will attempt in this post to enumerate and comment on such benefits.

As good fortune would have it, my Oracle Colleague Nishant Kaushik shared with me a copy of a presentation deck he used recently, entitled, “Identity Intelligence to Drive Business Objectives.”

For the purpose of this discussion, we will use the term “IAM Intelligence” to refer to “Identity and Access Intelligence” or “Identity Intelligence”. Furthermore, we will regard IAM intelligence to include tools for IAM data collection, aggregation, analysis, presentation and automated action, coupled with the human processes for seeking to understand, present and act on that data – the transformation of data into actionable intelligence.

Earl Perkins of Gartner put it this way:

IAM intelligence is more than knowledge for IT users to make IT users’ lives easier. IAM intelligence can be part of the business intelligence realm if properly analyzed and presented to the right audiences.

Primary Business Benefits

The following major business benefits can accrue from IAM intelligence.  These are roughly the same as Nishant used in his presentation, in a slightly different order.

1. Enable Visibility and Transparency.  If an enterprise is to effectively answer the compelling questions, “Who has access to what?”, “Who granted that access?” and “How were such assess rights used?”, a great degree of information visibility and transparency is needed.   The questions are simple; the process of answering them is not.  IAM intelligence seeks to answer these questions quickly and accurately, in a manner that reduces business risk and increases regulatory compliance at a resonable cost.
2. Support Business Decisions.  Good business decisions should be based on reliable information, not on supposition.  A client recently remarked,”We need to base our decisions on facts, not just on what we think those facts are or should be.”  IAM intelligence provides the foundation for making good business decisions based on reliable information.
3. Turn Data into Insight, and Insight into Action.  With the expansion of IAM infrastructure for administering user, role and entitlement life cycles and enforcing access policy, the amount of relevant Identity and Access data is immense.  That raw data does little good unless we can effectively organize and analyze such data so effective business decisions can be made and intelligent action can be taken as a result.  IAM intelligence enables the transformation of raw data into actionable insight.
4. Strengthen Identity & Access Governance. The structured method for managing IAM systems, or IAM Governance, can be made more effective if accurate, reliable, timely and actionable information is available for IAM stakeholders to make good decisions.
5. Identify, Measure and Manage Risk.  To effectively manage risk, an enterprise must accurately identify what risks exist, create policies for dealing with such risks, and implement effective controls for enforcing those policies.  Actionable information provided by IAM Intelligence can enable enterprises to correctly identify, understand and control risk.
6. Contain Costs. Gathering and evaluating data through manual means can be very expensive, including initial data collection, manipulation, analysis and presentation.  Automated Identity Intelligence methods can minimize costs by taking labor out of the process.
7. Build Trust. In order for any information system to become an effective foundation for business execution, business leaders must implicity trust the tools and processes that comprise the the system.  An effective IAM Intelligence system will provide that trusted foundation that a business leader can use to guide his or her business activities.

Benefits from Automation

Why can’t we just use some smart people armed with spreadsheets to accomplish the same objectives?

1. Accuracy. Manual methods of data collection and organization inevitably introduce errors, which at best are difficult to find and correct, and at worst, alter business decisions in unfortunate ways.
2. Timeliness.  Manual methods often take a lot of elapsed time, causing business decisions to be delayed and needed actions to be postponed.
3. Presentation.  While much can be done with spreadsheet graphics and reports, more powerful reporting, dashboard and presentation facilities may be available with an automated system.
4. Repeatability.  Manual methods may vary as different people become involved at different parts of the process, causing variabiltiy in results from cycle to cycle.
5. Auditability.  Manual methods are more difficult to audit, because of the variability in the human part of the process.
6. Cost control.  The costs of manual methods often exceed automated processes, because the labor content of the process recurrs in every cycle. Automated methods can reduce these costs

The Bottom Line?

The overall benefit we realize from IAM Intelligence is the ability to take effective business action, based on intelligent business decisions … leading to faster, stronger business success.

My last post highlighted the well-publicized Epsilon data breach that affected so many consumers like me.

But what if a company forgets to tell its customers?

That may have happened to me. Our family probably does over 80% of our grocery shopping at Fry’s Food Stores, owned by The Kroger Co. I’m quite sure they have my email address, because of their store affiliate card program. However, when Kroger was victimized by the Epsilon data breach, I did not get a notification or apology from Kroger.

Does that mean they don’t care, or by some stroke of luck, my email address wasn’t compromised? I may never know … but will wonder.

On April 4th, I received apology letters from my bank, a major retailer, a large pharmaceutical chain, and three hotel companies.  All of the apologies were similar, but I’ll share just one:

Dear Ritz-Carlton Customer,

We were recently notified by Epsilon, a marketing vendor The Ritz-Carlton Hotel Company uses to manage customer emails, that an unauthorized third party gained access to a number of their accounts including The Ritz-Carlton email list. We want to assure you that the only information obtained was your name and email address. Your account and any other personally identifiable information are not at risk.

Please visit our FAQ to learn more.

In all likelihood, this will not impact you. However, we recommend that you continue to be on the alert for spam emails requesting personal or sensitive information. Please understand and be assured that The Ritz-Carlton does not send emails requesting customers to verify personal information.

It must have really hurt Ritz Carlton, that paragon of sophistication and propriety, to fall on its virtual knees and send out thousands for such emails.

I subsequently learned that USA Today reported:

With the possible theft of millions of e-mail addresses from an advertising company, several large companies have started warning customers to expect fraudulent e-mails that try to coax account login information from them.

Perhaps the Wall Street Journal wanted to make me feel special, one of select few:

Alliance Data (parent of Epsilon) reiterated that social-security and credit-card numbers were not stolen. It also said that only 2% of its more than 2,500 customers were affected.

I have yet to know whether there will be a harmful personal affect from this data breach. But it does illustrate that we are all vulnerable, whenever we trust any confidential information to someone else.

Technorati Tags: Identity Theft, Information Security, Privacy

I have been concerned for some time that Information Technology systems in general and Identity Management systems in general have become so complex that it takes rocket scientists to understand them, implement them, and take care of them.  Because of the relative scarcity of rocket scientists, many companies become overwhelmed by the complexity of the their IAM systems and either don’t implement them correctly or reap the benefit that could be realized.

Today I stumbled across an intriguing article, Simplicity: A New Model, by Jurgen Appelo, that explored the issues of simplicity and complexity. I liked the definition of simplicity Jurgen used:

Simplicity usually relates to the burden which a thing puts on someone trying to explain or understand it. Something which is easy to understand or explain is simple, in contrast to something complicated. (Wikipedia)

But he went further, explaining simplicity and complexity with the aid of a visual model:

I encourage you to read Jurgen’s article to understand the significance of each visual image.

This made me this made think, “Is there a way to map IAM systems onto a model like this?”

I don’t know the answer, but it is an issue worth exploring.  I’ll let you know if I come up with some brilliant ideas.

Triggered by Dave Kearn’s article today, “What is Privacy, Really,” I spent a few minutes this afternoon with my good friend dictionary.com.  It is amazing what one can learn about word meanings by (virtually) flipping through the pages of a dictionary.

Privacy: the state of being free from intrusion or disturbance in one’s private life or affairs: the right to privacy.

This was a bit circular in its reasoning, so I looked up “private”:

Private: confined to or intended only for the persons immediately concerned; confidential: a private meeting.

These meanings match well Dave’s desire to exercise control over when he divulges personal information:

I can see no reason to cough up details of my business, number of employees, target date for purchase, types of computers, operating systems, applications, etc., simply to read a high-class marketing document

A related term is confidential – again related to the ability to keep information private:

Confidential: spoken, written, acted on, etc., in strict privacy or secrecy; secret: a confidential remark.

For example, I can assure you that there are details of my personal life that nobody but my wife knows.  We intend to keep it that way, even if powers like Facebook and Google would have it otherwise.

Way back in September 2009 (it seems like an eternity in Identity years), I made a prediction that data analytics would begin to play a larger role in the Identity and Access Management market:

Advanced data analytics will bring value to many identity-based activities such as Authentication (historical “fingerprints” based on your patterns of accessing online resources), Context/Purpose (predicting preferences from your historical activity) and Auditing (who really did what when?).

Following my blog post this morning, Alan Norquist, CEO and founder of Veriphyr, dropped me an email which at least partially confirmed that prediction.  Alan referred me to an article by Earl Perkins of Gartner entitled, Time for Intelligence and Clarity in IAM.

A few excerpts:

Something interesting is developing in the identity and access management arena. It isn’t new– if you look closely, you’ll recognize it from countless other technologies and processes that progress to maturity. IAM is no different. What I’m seeing is the maturing of intelligence. …

One could even say that once that knowledge gets into the hands of the right people and they make actionable decisions with it, it’s no longer knowledge– it’s intelligence. …

IAM should be (among other things) about clarity. How do we make clear to the business that there is intelligence on those [IAM] logs, waiting to be mined, and that intelligence may make all the difference in their decisions? The best way is to deliver it, to provide that IAM intelligence is more knowledge for IT users to make IT users’ lives easier. IAM intelligence can be part of the business intelligence realm if properly analyzed and presented to the right audiences.

Gartner calls this “Identity and Access Intelligence.”  I am trying to get a copy of the full Gartner report on this topic.  I’ll comment more when I do.