Talking Identity

Dave Kearns recently took on the topic of how user-centric and enterprise-centric identity could possibly co-exist in his articles for the Network World Identity Management Newsletter. In his first post, he discussed what the difference between the two is -  the need in the Enterprise scenario to have all identity-related transactions tied together from an audit perspective, contrasted with the need in the User-Centric (or personal) scenario to have no ability to tie together the various transactions a person can enter into. In his follow-up post, he discussed how the two, given these diametrically opposite requirements, could co-exist.

Dave postulates that the solution is based in the idea of Digital Personas. If I am reading his thesis correctly, he basically says that a person (an entity) can keep his online transactions un-linkable by using different personas (as represented by different information cards) that are kept separate and distinct at the source (namely the user and his IdP). In this way, common identifiers are avoided (not sure about that, since the most common identifier - an email address - is likely the same across most, if not all, of your personas), and so correlation reports cannot be built that harvest and mine data.

While Dave is clearly working with the constraint of what is possible today (both on a technological and legal footing), I think this solution puts too much of a burden on the end-user, since this requires the user to maintain multiple personas across the various applications he interacts with. In other words, even if the persona I want to present (PII attributes, credit cards, etc) to two different applications is exactly the same, I would need to create two different personas (in effect duplicates) if I want to make sure that there is no linkability. One can see the potential for persona explosion.

This is like saying that a user (who is extremely paranoid and wants no one building a consumer profile by looking at his purchase history) should maintain a different credit card (in effect tens or a few hundred) for every merchant he interacts with. That is comletely impractical. But just like there is no recourse today for consumers in this arena (the SSN, home address information, etc that every credit card record has enables complete linking, and results in the massive databases that telemarketers thrive and live on), it seems that there are no legal and technological solutions enabling the consumer to use the same persona while guaranteeing non-linkability. It's an interesting problem that I think needs to be addressed by the identity community, because if it isn't, linking of our online identities will happen (whether we want it or not), because the burden of maintaining multiple personas is just too much work, and user habits will prevail (just like it does in the matter of username-passwords).

This week I was invited to join Brenda Hughes from Cisco on next weeks DIDW panel discussing "Lessons learned from Successful Compliance Deployments". My hope is to share some of the insight I obtained from watching (at uncomfortably close quarters, from a vendor perspective) a number of our customers go through the process of deploying identity management to solve some of their main compliance issues. Obviously, compliance has been the big story in IdM the last few years, and most companies still have a long way to go. But the nature of the discussion seems to be changing a bit, as compliance itself is de-mystified. Come by for what is sure to be an interesting conversation.

Also, I will be connecting with a number of folks who are coming out to DIDW, both one-on-one and in some interesting group settings. Matt Flynn has organized a blogger meet, which I look forward to, since my attempt at a Tweetup sort of fell flat. Should be interesting. Again, grab me if you see me at the opening reception or at the demogrounds, or while I am rushing from one session to another, if you want to chat.

Continuing something I started as an experiment at Burton Catalyst, I will be twittering extensively during the conference, sharing what I am hearing, my thoughts and the experiences of DIDW (provided I can snag a power outlet and/or AT&T 3G can avoid going down again). Be sure to follow me at http://www.twitter.com/NishantK if you are interested in my perspective on the proceedings.

My Digital ID World was all about conversations. Much more useful to me than the sessions was the opportunity to brainstorm with some very smart, very committed (some insanely so) people in the identity community. The sessions were good, and some managed to inspire some original thought. But the hallway conversations (so to speak) were really what made this conference work for me.

I felt a little bit like the blind men examining the elephant, except that I could see a little bit. So while everything being talked about looked and felt like different things addressing unique problems, I could also see a little of how they interconnect and relate as part of a larger, more cohesive whole. This was especially true of the sessions on the Identity Assurance Framework, Identity Protocols, Identity Services and VRM, and my conversations with Kim Cameron, Doc Searls and Bob Blakely, among others.

The remainder of my week is being spent at Oracle HQ, so I will be pretty busy in meetings. I will therefore post more detailed thoughts on specific topics that came up in the sessions at a later time. In the meantime, you can check out the real-time stream of consciousness thoughts I had at DIDW by clicking this link to read my Twitter posts from the conference.

I was hoping to find some time to dig a little deeper into some of the themes, conversations and ideas that were floating around the halls at DIDW last week. Unfortunately, time was not a luxury I had this week. I am writing this aboard a flight to San Francisco, as I head there to attend the annual Oracle OpenWorld conference.

Oracle's big shindig is the place to come to if you want to find out about all that is going on in the world of Oracle. And this year is no different. The conference is bigger than ever (I hear upwards of 43,000 will be attending), and there will be some big announcements at the keynotes. Oracle Identity Management will be well covered at the show, both on the demogrounds and in the many sessions, where IdM got its own track.

Not surprisingly, I will be speaking on the topic of Identity Services. My 3rd session on the topic continues the discussion I started 2 years ago in a session on application-centric identity management. If you are going to be at OpenWorld, then definitely come check out my session, as I delve into the practicalities of building an Identity Services Platform for your enterprise.

Session ID: S298923
Session Title: Building an Identity Services Layer with Oracle Identity Management
Venue: Marriott
Room: Golden Gate C3
Date: Wednesday, 24th September 2008
Start Time: 09:00 am

During the session, I will present how one can go about deploying identity management in a way that enables the development of identity-enabled applications. I will also discuss some of the things I have learnt from participating in Burton Group's Identity Services Working Group, my many conversations with the identirati at Catalyst and DIDW this year, and from my continued involvement in Project Fusion, which lays down the architecture for the next generation enterprise application. Unfortunately I drew the short straw and got the 9am shift, so there are sure to be people who won't make it as they recover from their shenanigans the previous night. Hopefully I will still be on East Coast time, and sufficiently caffeinated :-)

And as always, I will be twittering my observations from OpenWorld in real-time, so be sure to follow me for the latest. I hear there will be a number of interesting announcements.

See you in San Francisco.