Tuesday Oct 27, 2009

Identity Trend 9: Identity Analytics

This post is the ninth in a series of eleven posts I am writing about key trends in the Identity Management industry.

Whenever data is amassed and made available for analysis, the odds are great that someone will  figure out ways to derive new meaning from this data.  So it is with data related to personal Identity.  I believe we will see an explosion of data analytics being applied to Identity-related data for a number of applications.  Three emerging areas are briefly described in this post.


imageConsiderable evidence is available to show how each of us is progressively establishing a historical, logical  “fingerprint” based on our personal patterns of accessing online resources.   In a blog post entitled, “Anonymized Data Really Isn't,” I discussed how correlating “anonymized” data with seemingly unrelated publicly available data can pinpoint personal identities with frightening accuracy. 

In his address at Digital ID World, Jeff Jonas’ discussion about using data analytics to discover space-time-travel characteristics of individuals was both challenging and disturbing.  Mobile operators are accumulating 600 billion cellphone transaction records annually and are selling this data to third parties who use advanced analytics to identify space/time/travel characteristics of individual people, to be used for authentication and focused marketing activities.

I expect we will soon see many ways data analytics will be used for both positive and negative purposes, to very accurately identify individual people and leverage that identification for authentication and personalization purposes.


imageJust like data analytics can be used to identify who we really are, these methods can be leveraged to personalize the experience online users have with each other and with online applications.  As I discussed in my Identity Trend blog post about Personalization and Context, personalization increases the value of online user experience by presenting relevant content to a specific user at a particular time and tailoring the user experience  to fit what a user is doing at that time.  Data analytics can be used to evaluate both real time and historical information to answer questions such as:

  • What are you doing now?
  • What did you do recently in a similar circumstance?
  • Will historical patterns predict your preferences?

Perhaps the best-known example of this is Amazon.com’s recommendation service illustrated in the photo above.  In this case, based on my historical purchase pattern, Amazon recommended two books to me.  Ironically, Amazon recommended I purchase Seth Godin’s book entitled “Permission Marketing, which addresses some of these very issues we are addressing in this post.  In the next few years, we will most likely see more powerful and refined recommendation engines based on complex data analytics, adapted to a wide variety of user interfaces.


imageThe big question surrounding IT auditing is, “Who really did what, when and where?”  While many tools exist for maintain audit trails and evaluating compliance with audit policy, I believe we will see and emerging class of tools to evaluate audit trails and logs in ways not anticipated by current tools.  A few examples:

Sophisticated ad hoc analytics may make it easier to discover patterns of fraudulent access that may be missed by more structured audit tools. 

Enhanced analytics may help improve the business role discovery process by detecting obscure usage trends in log data.


Some questions you may consider to explore how Identity Analytics may affect your enterprise include:

  1. What Identity data do you currently store?
  2. What related data do you store that could be correlated with Identity data?
  3. Can data analytics be used to correlate data you store with publicly-available data to provide value to your enterprise and your customers?
  4. What additional business value could accrue to your organization base on such analytics?
  5. That privacy and security threats may exist to your employees and your organization if advanced analytics are used to correlate publicly-available data with data you make available?
  6. How could data analytics related to Context and Preference be used to enhance the way users interact with your organization?
  7. How can advanced analytics help you combat fraud or other cybercrime?
  8. How can you use advanced analytics to improve corporate processes?

Identity Trend 8: Personalization and Context

This post is the eighth in a series of eleven posts I am writing about key trends in the Identity Management industry.

Much of the work I have been doing with Sun Microsystems during the past year has been focused on how to leverage Identity to enhance personalization of user experience across multiple “screens of your life.”  Project Destination, a Sun initiative which I lead, is all about enhancing online user experience through “Identity-enabled Service Orchestration and Delivery.”

Personalization increases the value of online user experience by presenting relevant content to a specific user at a particular time and tailoring the user experience  to fit what a user is doing at that time.  An effective combination of Identity and Context is essential for personalization.

Context refers to the idea that computer systems and networks can both sense and react based on their environment. For example, devices may have information about the circumstances under which they are able to operate and based on rules, or an intelligent stimulus, react accordingly.  Context is not simply a state, but part of a process in which users are intimately involved and user interfaces are adapted in real time to accommodate changes in user or system context. For example, a context aware mobile phone may know that it is currently in the meeting room, and that the user has sat down. The phone may conclude that the user is currently in a meeting and reject any unimportant calls. Context-aware systems are concerned with the acquisition of context, the abstraction and understanding of context, and application behavior based on the recognized context. Context awareness is regarded as an enabling technology for ubiquitous computing systems.  The Wikipedia article, “Context Awareness,” provides more details and valuable links to material on the subject.

The emergence of Context as a key component of personalization will likely accelerate as service providers seek to answer demand for the delivery of identity-enabled, highly personalized, blended services to subscribers of modern networks.

imageCombining a third element, “Preference,” will enable further personalization.  In a blog post entitled, “Identity, Context, Preference and Persona,” I proposed that the concept of persona is best understood as the intersection of three elements: 

  • Identity = who I am
  • Context = what I am doing
  • Preference = what I want
  • Persona is not just a partial projection of one's identity.  It must take into account the context in which a person exists at the moment, and the preferences the person makes relative to that particular situation. Personalization of a product or service must be synchronized with the persona of a person at any relevant point in time - his or her current persona.

    I expect that two key context-enabled concepts will continue to gain more focus in the near future:

    1. Selective Personae refers to the ability of a person to choose which persona he or she desires to use in a particular context to enable certain types of online experiences.  For example,  online systems (such as BigDialog, a project directed by eCitizen Foundation and Massachusetts Institute of Technology) are emerging to enable citizens to interact more effectively with government officials.  In such a case, a context-driven, selective persona system may validate that a user is indeed a citizen, but allow the user to specify how much personal information (e.g. age, marital status, race) he or she wishes to expose for a particular conversation.
    2. Purpose-driven Web refers to providing a context-driven online experience focused on what a person is doing or wants to do at a particular time, not just what sites the person may be visiting on line.  For example, at the recent DIDW conference, Phil Windley, founder of  of Kynetx proposed to enable contextualized, purpose-based user experiences using the web browser as a point of integration.


    Consider questions such as these to determine how your organization can leverage Context to enhance user experience:

    1. How can a more personalized user experience strengthen the relationship between my customers and my organization?
    2. What new business opportunities can we leverage if we can deliver better user experience to our users?
    3. In what different contexts (e.g. in-store, via web browser, with mobile phone, via TV, at home, at work, during travel) do my user interact with my organization?
    4. How can we augment Identity information we have about users with contextual information to further personalize user experience?
    5. How can information I have collected about user interactions with my organization be leveraged to further personalize a user experience?
    6. What privacy and security regulations limit how we can leverage user information?
    7. Can we effectively leverage user opt-in or opt-out techniques to meet individual user preferences?
    8. How can we leverage new context-driven concepts such as Selective Personae or Purpose-driven Web to personalize the user experience for our customers?

    Friday Sep 11, 2009

    Privacy Principles Depend on Context

    It is an interesting exercise to Google the term “Privacy Principles” and review the different definitions of privacy and different lists of fundamental privacy principles established by various enterprises, organizations and government agencies.  While there are threads of commonality throughout these different lists, it is intriguing to see how different perspectives can emphasize different issues.

    For example, at the Burton Group Catalyst Conference in July, Bob Blakley proposed the following list of privacy principles (further described in the white paper, “Privacy” by Ian Glazer and Bob Blakley, which is available by subscription):

    1. Accountability
    2. Transparency
    3. Meaningful choice
    4. Minimal collection and disclosure
    5. Constrained use
    6. Data quality and accuracy
    7. Validated access
    8. Security

    In December, 2008, The U.S. Department of Health and Human Services issued guidance on how to conform with HIPAA privacy and security requirements. This guidance consists of the Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information, which also sets forth eight Privacy Principles:

    1. Individual Access. Individuals should be provided with a simple and timely means to access and obtain their individually identifiable health information in a readable form and format.

    2. Correction. Individuals should have a way to timely question the accuracy or integrity of their individually identifiable health information and to have erroneous information corrected or to have a dispute documented if their requests are denied.

    3. Openness and Transparency. There should be openness and transparency about policies, procedures, and technologies that directly affect individuals and/or their individually identifiable health information.

    4. Individual Choice. Individuals should be provided a reasonable opportunity and capability to make informed decisions about the collection, use, and disclosure of their individually identifiable health information.

    5. Collection, Use, and Disclosure Limitation. Individually identifiable health information should be collected, used, and/or disclosed only to the extent necessary to accomplish specified purposes and never to discriminate inappropriately.

    6. Data Quality and Integrity. Persons and entities should take reasonable steps to ensure that individually identifiable health information is complete, accurate, and up-to-date to the extent necessary for the person's or entity's intended purposes and has not been altered or destroyed in an unauthorized manner.

    7. Safeguards. Individually identifiable health information should be protected with reasonable administrative, technical, and physical safeguards to ensure its confidentiality, integrity, and availability and to prevent unauthorized or inappropriate access, use, or disclosure.

    8. Accountability. The Principles in the Framework should be implemented, and adherence assured, through appropriate monitoring and other means and methods should be in place to report and mitigate non-adherence and breaches.

    You can see both similarities and differences in these lists. 

    Ian and Bob observed in their report that privacy is highly dependent on the context in which it is applied:

    Privacy is, fundamentally, contextual. Any question about privacy must be understood in the context of:

    • The starting assumptions and principles of the parties
    • The relationship between the parties
    • The interaction between the parties among which private information is shared
    • The domain (e.g., sector, nation, etc.) in which the parties are interacting
    • The societal norms to which the parties adhere

    Minor variations in any one of these contextual aspects of the situation can lead to major differences in the
    privacy practices that should be applied.

    So, while on the surface one might expect that a standard set of privacy principles would apply in all cases, each enterprise, market or agency must view privacy from their own slightly different perspective, based on the context within which privacy principles are applied.  Normalized lists of privacy principles may provide a valuable foundation, but it is critical for each enterprise or organization seeking to implement an effective privacy program to establish their own list, depending on their context.

    Technorati Tags: ,

    Friday Jun 05, 2009

    Intuitive Identity in a Highly-personalized, Hyper-connected World

    A pervasive theme in the just-concluded JavaOne conference was the need for context-aware personalization of the user experience in a hyper-connected world.

    For example, Ericsson's overview presentation advised, "it's about people" and "it's all about me, me, me."

    "Our kids will grow up in connected world," observed Dan'l Lewin of Micrsosoft.  "... I need to connect to things that matter most from wherever I am."

    At that heart of making this all happen is Identity - enabling highly personalized, time-and-space-sensitive answers to fundamental questions:
    • Who am I?
    • Where am I?
    • What "hat" am I currently wearing?
    • What  is top of mind to me right now?
    • With whom do I wish to connect?
    • What device am I using?
    • How do I want to participate in cyberspace - at this very moment?
    However, as important as Identity is in answering these questions in a highly-personalized, hyper-connected experience, a user shouldn't have to think about Identity.  A person should be immersed in the personal experience, not distracted by whatever mechanisms provide secure, personalized access to the services and applications that deliver the experience.  Identity must be an integral, intuitive, unobtrusive part of the entire experience.  It must be so natural and easy to use that it fades into the background of any task. 

    Identity is rightfully the focal point for the Identity Management professional community.  But one measure of our ultimate success will be how little users have to think about it.

    Technorati Tags: , , , , , ,

    Monday Dec 15, 2008

    Identity, Context, Preference and Persona

    While exploring how Identity is an enabler for personalization of products and services, I recently pondered on the relationship between four interesting words: Identity, Context, Preference and Persona.  Dictionary definitions of the three words include:
    • Identity: "condition or character as to who a person or what a thing is."
    • Context: "the set of circumstances or facts that surround a particular event, situation, etc."
    • Preference: "that which is preferred; choice."
    In other words, I might say about myself:
    • Identity is who I am
    • Context is what I am doing at a particular time
    • Preference is what I choose to think or do
    I propose that the fourth word, Persona, is at the intersection of the first three concepts.  The dictionary defintion:
    • Persona: "the mask or façade presented to satisfy the demands of the situation or the environment and not representing the inner personality of the individual; the public personality."
    In other words, a Persona is a personality I choose to project in a particular circumstance.

    Graphically, we may diagram the relationship as shown below:

    Persona is not just a partial projection of one's identity.  It must take into account the context in which a person exists at the moment, and the preferences the person makes relative to that particular situation. Personalization of a product or service must be synchonized with the persona of a person at any relevant point in time - his or her current persona.

    For example:
    1. My interest in photography is one of several attributes of my personal Identity.
    2. Last Saturday, my presence in a camera store less than two weeks before Christmas was my context at a particular time.
    3. My preference at that time was to find a replacement camera bag.
    My current persona was essentially: 1)photography buff, 2)in a camera store, 3)with desire to buy a camera bag.

    At that point, to present me with information about dairy farms in Idaho would clearly not be synchronized with my current persona, even though Idaho cows are a legitimate interest of mine.

    As good fortune would have it, a very helpful sales person was very synchronized with my persona.  He showed me a great camera bag that would fit my needs, and knowing that Santa was coming soon, let me drool over a really cool, image-stabilized Nikon zoom lens.

    Please let me know what you think about this concept.  I plan to share more thoughts in coming days.

    Technorati Tags: , , , , ,

    Discovering Identity was founded on blogs.sun.com in May 2005 as a means of documenting my exploration of the field of Identity and Access Management. In February, 2010, I switched to hosting the blog at DiscoveringIdentity.com. In March 2012, I began posting Oracle-related information in both places.

    Thanks for stopping by.

    Please connect with me in cyberspace at LinkedIn or Twitter.

    The views expressed on this blog are my own and do not necessarily reflect the views of my employer, Oracle Corporation, or any other person or organization.


    « August 2016