Friday Jul 31, 2009

Top Ten Catalyst Takeaways

It has been a great few days in San Diego attending the Burton Group Catalyst Conference.  It is always refreshing and invigorating to hear what others have to say, both in formal sessions and in ad hoc conversations.  I previously posted the key points for the sessions I attended on Day 1, Day 2 and Day 3.

Here is my list of the most important ideas or concepts I gleaned from the conference.
  1. The biggest challenges facing the Identity Management industry are business issues, rather than technology.
  2. Much more discussion focused on the process of Identity Management than the tools of Identity Management. 
  3. Discussions about user-centric or user-controlled Identity were focused more on what the practical business models might be, rather than on enabling technology.
  4. The quest for business efficiency has perhaps overtaken regulatory compliance as the most important driver for Identity Management.
  5. Role management, while still having challenges, is very much in the mainstream of implementation and use.
  6. Federation has become a forgone conclusion, rather than a theoretical exercise.
  7. Entitlement management is gaining traction, but still needs much much work.
  8. Several Identity Services companies are emerging as recognition is growing that Identity as a service is critical to cloud computing.
  9. Privacy has emerged as a leading topic in its own right, rather than a subordinate topic within discussions of security and Identity Management.
  10. The terminology used within the Identity Management market is still not precise, particularly in areas such as role management and entitlements management.
I'd be happy to discuss any or all of these in more detail.  Please drop me a line and let's talk.

Thanks for stopping by.

Technorati Tags: , , , , ,

Catalyst Conference, Day 3 (Friday, July 31)

This morning's Privacy Track was the most intellectually stimulating set of sessions for me in the Catalyst Conference.  The blend of theoretical background and practical application of privacy principles was a good combination.  I certainly don't consider myself a privacy expert, so I learned much and and gained valuable perspective, both the point of view as an Identity Management practitioner and as a person who values personal privacy. Hats off to Burton Group for assembling an excellent set of speakers.

Here are the high points for me:

Privacy: Principles Yield Practice
Bob Blakley (Burton Group)
  1. Privacy is not about data, it is about people
  2. Protecting privacy means putting oneself in the place of another and understand the consequences of your actions
  3. Privacy means different things in different contexts
  4. Privacy principles:
    1. accountability
    2. transparency
    3. meaningful choice
    4. minimal collection and disclosure
    5. constrained use
    6. data quality and accuracy
    7. validated access
    8. security
  5. Put principles into context - then derive set of rules
  6. IdM systems have much personal data in them.  Are we protecting the dignity of the people I know things about?

Privacy Issues Related to Healthcare and Identity
Speaker: David Miller (Covisint)
  1. IAM is not a security thing.  It is a privacy thing.
  2. Security is about keeping people out; privacy is about letting the right people in.
  3. Electronic Medical Records (EMR) are being dictated by legislation, but have challenges to overcome, including:
    1. authentication
    2. authorization
    3. data exists in many places
    4. patient access to records depends on many factors
    5. many organizations want access to information
    6. regulatory issues
    7. legal/tort issues
  4. One solution is a central Health Information Exchange (HIE).
  5. Several different organizations at the national, state and health care organization level approach HIE's differently.

Privacy - how to have a productive multi-stakeholder discussion
Robin Wilton (Future Identity Ltd.)
  1. Privacy is usually a multi-stakeholder discussion
  2. It is difficult for stakeholders to articulate their view of privacy problems in a way that other stakeholders understand
  3. Use the "Onion Model" to explore and use levels of importance of personal information
  4. Use the "Ladder Model" to facilitate different viewpoints about privacy
  5. We are doing all this technical interaction in online networking as if it works the same way as face to face interaction, but it does not.
  6. "Privacy management" implies being aware of relationships and contexts, and acting accordingly.
  7. Technology is not an automatic answer to privacy.

A Dual Mission: Identity Management and Privacy Protection in the Federal Government

Bob Mocny, Director, DHS-VISIT Program - Department of Homeland Security
  1. Identity management is critical to national security
  2. US VISIT - check credentials for visitors into
  3. 100 million biometric records used for authentication, 200K transactions/day - largest in the world
  4. Built privacy into architecture of system
  5. Secure facilities and networks are in place to protect privacy
  6. Redress process to correct personal information in the system is essential
  7. No more important condition between the government and the people it protects than trust
  8. US VISIT built trust into the biometric system

Joint Q&A
Bob Blakley (Burton Group)
Bob Mocny (Department of Homeland Security)
Robin Wilton (Future Identity Ltd)
David Miller (Covisint)
  1. Privacy-enhancing governance is difficult (e.g. if you request that your PII be deleted from a list, is your PII still on the audit trail?)
  2. Much explicit effort and systems are necessary to avoid unitended consequences of amassing large amounts of personal information.
  3. People who have grown upon in a hyper-connected, pervasive-surveillance world have tend to have different perspectives of privacy than older people for whom personal information was secret by default.

Partnering via Privacy
Ian Glazer (Burton Group)
  1. Increased regulatory action, higher penalties, more people looking at privacy - all increase the attention companies must focus on privacy.
  2. Increased reliance on partners requires companies to understand privacy practices of partners.
  3. Preform Privacy Impact Assessments (PIA) to determine where we are, how we got here, and how changes can impact risks.
  4. PIA - opportunity to look at mission goals, design goals and privacy principles - are they in alignment?
  5. Reduce privacy risk by "cleaning your basement"
    1. Scary basements (something might be illegal)
    2. Messy basements (policy in place, but not well-applied)
  6. Procurement process is the best place to ask tough questions about partner privacy practices.

The Watchmen: UCLA & Georgetown Protect and Defend Privacy and Data Security
Heidi Wachs (Georgetown University)
  1. Although Georgetown University and UCLA have significant differences in size, organization and operational practices for privacy policy, the incident response process is quite similar
  2. Both suffered significant privacy breaches
  3. Response depends on what data is actually "acquired" vs. how much was "exposed"
  4. Privacy breaches triggered much public press and discussion
  5. New policies implemented quickly as a result of the breach have been difficult to implement

How Google Protects the Privacy of Our Users

Shuman Ghosemajumder (Google)
  1. Google global design principles: transparency, choice, security.
  2. End to end security is an essential part of every Google Service.
  3. Google Latitude: make privacy choices very visible and easily assessible, with opt-out at multiple levels.
  4. Street view: blur faces and license plates automatically, but allow individuals to request blurring if automated process fails.
  5. Interest base advertising: give users control over categories and opt out at different levels of granularity.
  6. Gmail: contextual ads caused concern - because of its proximity to and dependence on personal email.
  7. Data retention: Google anonymizes IP addresses in logs after 9 months.
  8. Google chose paradigm of "opt-in after the fact", rather than offering "opt-in beforehand" to not disrupt the user experience or advertising ecosystem.

Technorati Tags: , , , , , ,

Thursday Jul 30, 2009

Catalyst Conference, Day 1 (Wednesday, July 29)

I have thoroughly enjoyed this week at the Burton Group Catalyst Conference in San Diego, California.  It has been good to take the pulse of the Identity Industry, re-connect with old friends and meet new people.  I would have enjoyed attending the Cloud Computing or Mobility tracks this year, but stayed with my old standby, the Identity track.  Key points I gleaned from the sessions I attended are included below.  If you would like to review my complete notes on any session or discuss any of these topics, please send me a comment.

Thanks for stopping by.

2009: Upheaval In The Identity Market
Bob Blakley (Burton Group)
  1. The expanding identity universe is changing in three dimensions:
    1. scale - moving both to small (SaaS, SMB) and massive (consumers, social networks)
    2. control - moving from centralized to distributed (de-perimeterization, outsourcing)
    3. focus - moving from business to individual
  2. An infrastructure is evolving that will allow us to transform from being just an "account" in a system to being a "person" in a world where physical and virtual worlds are no longer distinct.

Identity Management: No Time Like the Present
Lori Rowland (Burton Group)
Bob Blakley (Burton Group)
Mark Diodati (Burton Group)
Gerry Gebel (Burton Group)
Ian Glazer (Burton Group)
Kevin Kampman (Burton Group)
  1. Much more focus on efficiency, short ROI and accelerated time to value.
  2. Strong market for IdM during tough economic times; pent up demand will probably fuel growth when economy recovers because organizations have discovered new requirements as they use IdM systems.
  3. Oracle acquisition of Sun is strongly impacting the industry.
  4. Oracle will probably not abandon the Sun user base.
  5. Need to re-define or clarify IdM terms, such as provisioning, roles, entitlement managment and privilege user/account management.  These terms have grown to mean too many things or are ill-defined in the industry.
  6. SPML is re-emerging as a potentially important standard.
  7. Identity and access governance may emerge as an architectural layer distinct from provisioning and role management.
  8. The uptake on role management is tremendous.
  9. Federation will be default protocol for cloud computing.
  10. Interoperability and integration continue to be large challenges.

Two Billionths of a Second after the Big Bang - Where Is Consumer Identity?
Michael Barrett (PayPal)
  1. Many consumers have too many online identities to effectively manage.
  2. Consumer Internet interactions are repetitive, frustrating and littered with outdated info.
  3. Super scale: billions of Internet users; millions of relying parties.
  4. Effective consumer-managed Internet Identity infrastructure is needed.
  5. We don't have a "network effect in action" for consumer Identity, and we need one.
  6. The problem not fundamentally about technology; consumer-managed Internet identity will depend on financial benefit for participants.
  7. A fourth role in the Internet Identity process may be the "assertion provider" or "attribute broker" (e.g. credit bureaus).
  8. PayPal may be interested in being an IdP; other candidates include eBay, Google, Facebook, Microsoft.

The Identity Services Market
Bob Blakley (Burton Group)
  1. The value proposition for cloud computing is not lower cost, but time to value.
  2. Independent service vendors can provide slices of Identity functionality - customers design how they are packaged together.
  3. The market is building with small firms offering discrete billable units in areas such as vetting, provisioning, logon, risk scoring and user experience augmentation.
  4. Azigo and Kynetics are examples of enabling users to be "recognized", rather than "interrogated".
  5. The "pay as you go" aspect of services will force people to explictly focus on business value, not just technology.

Externalizing Authorization in a large scale Software-as-a-Service Environment
Steve Merritt (Hoover's, Inc.)
  1. Hoover's need was driven by complex needs for delivering business information to users, based on subscriptions.
  2. Requirements included
    1. fine grained control
    2. flexible - different types of objects, apps
    3. complex entitlements
    4. dynamic groups
    5. centralized administration
    6. easy application integration - easy to use API or standard protocol
    7. scalable
    8. multitenant
    9. integration with enterprise IdM solutions
  3. Evaluated build vs. buy.
  4. Selected Ccisco Enterprise Policy Manager (formerly Securent).
  5. Critical element in implementing entitlement management is adapting applications to fine grained policy infrastructure.

The Age of  Identity Oracles
Mary Ruddy (Meristic, Inc.)
Ron Carpinella (Equifax)
Tom Oscherwitz (ID Analytics)
Rick Rubin (OneHealthPort)
Denise Tayloe (CEO, Privo)
  1. "Identity Oracles" deliver value individual companies can't provide for themselves.
  2. Achieving critical mass and establishing defacto community standards are essential to adoption.
  3. To build critical mass, it can be helpful to bring large group up to a low level of security, rather than a few people to high level of security.
  4. These markets will see more government regulation unless the industry can demonstrate it can self-regulate.
  5. Many solutions failed because they don't walk line between assurance and usability.

Roles: The Real, the Imaginary, and the Broken
Kevin Kampman (Burton Group)
  1. Speaking as voice from the customer, based on feedback from customers.
  2. Vendor products tend to be focused on a particular aspect, but not the whole space.
  3. Tools tend to be oriented toward technologists, not the business community.
  4. Efficiency and compliance are still major drivers.
  5. Governance of role management initiatives is essential - usually in concert with overall Identity Mangement governance.
  6. Execution is a classic project management challenge: identify scope, manage priorities, establish metrics, recognize challenges.
  7. Many people, from business and technology viewpoints, must work together effectively to achieve success.
  8. Roles brings value to downstream processes like provisioning and entitlement management.
  9. To start, pick well-understood domains, with fairly stable populations, where there is a real problem to be solved.
  10. Quality data is critical - you must be able to rely on it.

Empower the Business with Identity Management
Robert Amos (NuStar Energy)
  1. Funded project based on efficiency for HR department.
  2. Managers and role owners must agree to new process.
  3. Work with simple role structure first.

Role Management - Leveraging the Investment

Paul Rarey (Safeway, Inc)
  1. Focus on highest value: using 25 roles addressed 60% of the problem.
  2. Choose roles by focusing on high volume of people change and malleability of business process.
  3. The identity warehouse, which holds trusted and aligned Identity data from multiple sources, provides the foundation.
  4. Roles support more than RBAC; they support good decision making: is right person in the right place doing the right thing?

The Intersection of Roles and Entitlement Management
Kevin Kampman (Burton Group)
Alice Wang (Burton Group)
  1. Assigning entitlements directly to users doesn't scale, lacks flexibility, is not agile and increases compliance risk.
  2. Policy: glue that binds roles to, or divorces roles from, entitlements.
  3. XACML is a reference model for separating authorization processing out of application, but is not the only one.
  4. Bottom line goal for entitlement management: control access efficiently, with clarity, in compliance with regulations.
  5. Roles facilitate meaningful conversations between different consituencies.
  6. Roles are off to the races ... entitlement management is learning to walk.
  7. How many roles are effective? It comes back to how many to manage effectively.
  8. A role/rule based system is a good way to balance the problem of too many roles.

Role Management Evolution
Ed Coyne (SAIC, Veteran's Health Administration)
Alan O'Connor (RTI International)
Paul Rarey (Safeway, Inc)
Robert Amos (NuStar Energy)
David Laurance (JPM Chase)
Kevin Kampman (Burton Group)
  1. NIST is preparing to update a 2002 study on economic returns to IT and business from using role based access technologies and methods to look at where wins have occurred and economic benefit can be improved.
  2. Roles can be used as organizing principle for defining, provisioning and interpreting user access and related information.
  3. To effectively define roles, we must talk in the context of business process and workflow.
  4. The term "role" has come to have several different meanings in different contexts.
  5. Standards may be helpful for RBAC systems to interoperate.

Technorati Tags: , , , , ,


Discovering Identity was founded on in May 2005 as a means of documenting my exploration of the field of Identity and Access Management. In February, 2010, I switched to hosting the blog at In March 2012, I began posting Oracle-related information in both places.

Thanks for stopping by.

Please connect with me in cyberspace at LinkedIn or Twitter.

The views expressed on this blog are my own and do not necessarily reflect the views of my employer, Oracle Corporation, or any other person or organization.


« July 2016