Friday May 26, 2006

Minimum definition of identity

I was at an event recently that Sun hosted with PWC and a number of top companies that we are working with in the Pacific Northwest. Several people were asking me about living in Austin, and one of the gentleman asked me for my opinion of Vince Young. I told him, "I don't know who that is." It was one of those moments (much like the old EF Hutton commercials -- however people were not hanging on my every word for insight but rather fell silent as they waited for me to either tell them I was joking or to let their horror unfold). Apparently this was especially surprising given that I live outside of Austin, Texas. Anyway, I did not know who Vince Young was.

This got me thinking about identity (well, just about everything gets me thinking about identity) and the set of attributes that make up an identity. We are having a lot of conversations with customers these days about "minimum authorized access" as a definition of identity as companies leverage identity management to help with security and compliance demands. Other days, when we are talking with companies who are using identity management for customer-facing application to drive service levels up and to establish trust, we talk about "maximum allowed access" as the definition of their identity. The interesting thing is, there is no difference between "minimum allowed" and "maximum allowed." It's all the same -- or it should be.

As you go through life, there are people you know, hobbies you enjoy, authors you read, things you care about that are part of your identity at that moment in time. These change. Things fall away, new things come online. The same is true of a network identity. Your role changes, responsibilities get added, projects end and our identity unfolds over time. There is no real need for maximum or minimum definitions, only the need for accuracy at the moment. As the edge becomes the new core, identity management and user-centric computing will increasingly offer this real-time definition of "who are you and what are you allowed to do" across buildings, network access, applications and data.

Now I sort-of know who Vince Young is, and while this story has become part of my identity, at least for a little while, knowledge of and an opinion on this gentleman has not.

Monday May 08, 2006

Digital ID World's "Top 10 Most Important People in Identity"

Digital ID World's Eric Norlin posted his list of "The Top 10 Most Important People in Identity." Sun's Sara Gates made the list at #3, which Norlin noted is really about giving credit to the entire Waveset team that Sun acquired.

Wednesday May 03, 2006

Sun #1 in Gartner's User Provisioning 'Magic Quadrant'

Officially, we can only say that Gartner positioned Sun in the "Leaders" quadrant of its new User Provisioning 'Magic Quadrant.' But looking at the quadrant itself, it is clear that Gartner gave Sun the highest ratings for both categories: completeness of vision and ability to execute. A tremendous win for Sun's Identity Management group. You can see the results for yourself at Gartner's positive analysis comes a couple of months after Forrester Research named Sun "an identity management powerhouse."

Friday Apr 28, 2006

GE Security to OEM Sun's Identity Management Suite

GE is a BIG Sun Identity Management customer, so you can imagine what an endorsement it is that GE Security will now OEM Sun's Identity Management Suite as part of the "converged security solution" it offers its customers.

Here's the money quote from Dan Smytka, president of Engineered Systems at GE Security:

"We know the power that Sun's Identity Management suite delivers because we have deployed it to more than 450,000 users across 11 GE business units. And we look forward to delivering the power of this partnership to customers around the globe to help protect them."

Sometimes the grass is greener on your own side of the fence.

Thursday Mar 02, 2006

Recent observations on compliance

So last time I talked about the "p" word and how we move forward in a meaningful way in talking about policy. I heard from Sun's Robin Wilton who is active with Liberty Alliance and he told me that at a recent working session of the Liberty Alliance a discussion occurred around "drawing the distinction between public (i.e. government) policy as a driver of privacy issues, and enterprise 'business' policy as another influence on the same matters." Good to know that smart people like Robin and the Liberty folks are working to drive much-needed clarity. I look forward to learning more about the work that's underway. I hear Liberty is working on standard legal and policy (did I say the "p" word?) agreements that can act as a baseline agreement for companies wrestling with things like indemnification across federated domains.

A lot of conversations that I am having these days with companies are about implementing technology to help automate compliance processes and make responding to audit requests easier. One company we talked to last year told us a story that at the time seemed hard to believe, but I now see it happening in every public company: this Fortune 100 company had spent 50 man months doing 1 -- ONE! -- audit across their so-called Sarbanes applications (apps with sensitive data on which access must be well controlled). 50 man months checking for separation-of-duty problems across 35 applications. That's 50 man months they were not focused on getting their partner portal launched, updating their ERP system, etc. because they were manually checking for access-control related risks that could lead to bad things happening. It's a common story.

Here are my observations on compliance:

It's happening around the globe. Every country (well, a lot of countries) and a lot of federal governments have Sarbanes-like legislation/regulation out or in the works. As I am out around the world the topic comes up everywhere -- from federal governments across the globe (think HSPD-12) to legislation affecting publicly traded companies (think Sarbanes, HIPPA, BASEL II) there are movements afoot to drive better control and security for consumers, citizens, patients and ultimately shareholders.

It's actually good for us. For years I drove without a seatbelt even though I knew I was better off (safer) by wearing one. It wasn't until the law in my state changed and threatened a fine for non-compliance, that I changed my behavior. Again, even though I knew I was safer if I wore a seat belt, I chose not to. Now, many years later, wearing a seat belt is just part of driving, I don't think about it, I just buckle up. That's how I see a lot of the "compliance" work being done at companies (Sun as well) and federal agencies these days to get better controls in place. We SHOULD be able to see and approve who-has-access-to-what. We SHOULD be able to quickly do forensics by identity if something goes wrong. We SHOULD be able to control access to critical applications so that bad, unintended things do not happen. Our companies are better off as their risk is lowered with good controls in place. As individuals with 401Ks, we are better off as the risk of Enron/WorldCom -- grade failures are lowered. And it's good as this new baseline of control has to be in place for our economy/our businesses to safely face the next wave of growth (think Web 2.0).

In five years we won't talk about it anymore. It will just be how we run our businesses. I look forward to this day. This will be a boon to the printing and marketing industry as every vendor everywhere on the planet will have to revise their collateral to talk about something else. Any predictions on what the new bandwagon will be?

Friday Feb 17, 2006

The “P” Word--- “Policy”

I had the opportunity this week to attend the RSA show and I wanted to share some thoughts from the week.

First, the funniest moment of the week came with Scott McNealy’s keynote when he invited Bill Gates to go hunting. That was timely, bordering-on-inappropriate-yet-hilarious humor. When I got home late last night I told my husband the story and he quipped, “Yeah, what’s the fine for shooting lawyers out of season?” I got another good chuckle out of that.

Yesterday I was talking to Eric Leach from Sun (Eric runs our access management and federation product line) and, as often happens when I talk to Eric, he managed to say a lot in a few words. Eric said, “as I walk around the RSA show, three words are constantly being used (or overused): policy, compliance and automation.” We joked that it was like a mystical chant running across the conference floor, hypnotizing people with the melodic chant of “policy, compliance, automation…, policy, compliance, automation…” luring potential customers into the booths with promises of salvation.

Eric’s right. Those words were everywhere and it got me to thinking and wanting to make a plea.

The “P” word is policy. It’s become a bad word in that the word “policy” in the technology arena has so many meanings that it has actually become meaningless. “Policy” means a lot of things, all of them ultimately in a business, and often, security context. A policy can be on data protection, a policy can be on access control in the platform or application, a policy can be in a dusty three-ring binder that no one ever uses, a policy can be made in response to a law or regulation. Sun’s Chief Privacy Officer and true policy expert, Michelle Dennedy, says that policy needs to be precise and readable, as in a sentence or two that lays out how Sun will govern a class of data in a certain context.

Technology’s role in policy (and compliance for that matter) is as an enabler for policy, making my company and my data more efficient or safer. The technology industry needs to take a page out of Michelle’s book and get more precise on just what it is we do to enable policy enforcement and automation (that’s the plea). Customers will benefit if we get a bit more precise in the use of the term “policy.” Let’s boil it down quickly and be able to tell people just what the functionality is that somehow helps enable policy implementation, enforcement or automation. Ultimately if we can collectively reduce the confusion for potential customers then we can move more quickly to solutions.

Now, before I get a flood of pot-calling-the-kettle-black responses to this blog, let me say that my paycheck comes from Sun, I work in this industry and I am sure we have work to do and thought to give on this as well.

How about a moratorium on the “P” word unless it is modified with a precise, readable explanation of what we mean?

We’ll talk compliance next time, for now I am off to have a cup of coffee to jolt myself out of my “policy, compliance, automation” reverie.

Wednesday Dec 21, 2005

Happy Holidays -- 12 Days of Identity

For those of you who haven’t gotten on our address list yet, I’m posting our holiday greeting card here for your viewing pleasure. And, if you’re like me and haven’t gone out to get your own cards yet, you still have time to send this one to your friends. However, I recommend you send it to those who “get” identity.

12 Days of Identity

(I went ahead and cut to the last verse to spare you the repetition of the first eleven verses!)

On the first day of Identity my true love sent to me:
12 Bloggers Blogging
11 Pipers Provisioning
10 Quiet Help Desks
9 Platforms Interoperating
8 Auditors Auditing
7 Continents Participating
6 Product Offerings
5 Hackers Blocked
4 Ever Open (and Secure)
3 Products Launched
2 Billion Directory Entries
and One Single Sign-on for Me

I'll be back on January 9th, so, until then, I wish you all a fabulous holiday break!

Friday Dec 09, 2005

Volley Back to Dave

I wanted to take a minute to respond to Dave Kearns' most recent newsletter.

First, our move to make all Sun enterprise software, including identity management, available through a no-cost download is potentially a market-changing move - as we put our identity products out there for prospective customers to try and use. My belief is that it's time for identity to become an inherent service on our networks and getting the software into the hands of users will help drive and speed adoption. This is good for Sun because as more and more people try our software, we believe they will ultimately buy from us. It's good for customers because this puts identity management solutions in their hands today so they can start figuring out how to best apply them. What do you think?

Now, onto identity theft. Here are some comments I made to Dave:

Reading your newsletter, I could draw the conclusion that Sun was trying to spur on fear with our survey and that was not at all the intent of our announcement. The conclusions we reached showed that consumers are doing smart things like changing and updating their passwords and are willing to take action if their personal information is mishandled. The buying power, and leaving power, is clearly with consumers. That's not fear, that's empowerment.

As my quote said in the press release:

"It's heartening to see that overall awareness of identity theft is quite high and that many Americans are taking basic steps to protect themselves," said Gates. "Consumers should continue to step up their vigilance in 2006 by only giving their Social Security Number to trusted parties and they should shred all discarded documents with personal data on them. However, companies also need to mitigate the threat of identity theft by taking all possible steps to ensure the security of their corporate data."

My mantra around identity & security is “accelerate without fear” and the last thing I would do is to promote something that drives fear. The Harris survey we did showed (in my opinion) that people are smart, they are paying attention and they are willing to move their business if their information is mishandled. That means companies, if they are to keep growing and gaining customer confidence, must take the necessary steps to protect access to private information and manage “who has access to what”.

Now I want to challenge you with something. Ask your friends what their thoughts are on identity theft. (And I do not mean the vast minority of the world that work in technology. I mean your neighbor, your cousin, your wife's best friend.) Ask them about their opinions on identity theft. I have had this conversation a lot lately with my (non tech) friends & family. Right or wrong, people believe they are more at risk for ID theft with online transactions than elsewhere. We're making progress but we still have education to do & companies still need to think more about the impact of identity on how they run their businesses.

Managing identities is something companies MUST do – Sun has just made it even easier.

Friday Dec 02, 2005

Identity Enables Business to Thrive

Hi there. I have been out all week talking to customers in finance, government, telecommunications, airlines and others about the impact of identity on the running of their businesses. The interesting thing is that we have moved from talking about the management OF identities to the management of our business BY identity. Identity is what brings meaning and security to business transactions. We have a new white paper. This is the final draft that I wanted to share with you (before it's published on because it's all about this topic. This paper is the first in a series that we're putting together on the subject of Accelerating without Fear. It's focused on how identity management helps business gear up for rapid growth in the Participation Age. Let me know what you think.


I had to share this comic strip with you all, it's hilarious.

As many of you know, my husband and I decided to take the TV out of our home five years ago. Best decision we ever made! Instead of watching life go by, we’re living it, participating in it.

I challenge everyone to go a week without TV and please let me know how it goes, what you learn, what I’m missing (if anything!). Would love to hear about your experiences.

Monday Nov 28, 2005

At what point is it identity theft?

I was talking to Dave Kearns last week about a survey on identity theft that we recently conducted, and Dave posed an interesting question: What is identity theft? What qualifies? Is it having your credit card stolen? Does that qualify? Or is it when a thief uses your identity information to gain assets?

As usual, it was an interesting conversation with Dave posing good questions.

If a data theft happens and no financial theft occurs, is it identity theft or not? I pose that anytime there is a data breach and your information that you own and that has value is stolen – that is the theft. Not when someone then goes and gets a mortgage with it. It’s like the “if a tree falls in the forest and no one is there to hear it does it still make a sound?” question. If someone steals your private data and does not use it for financial gain, has a theft occurred? I say yes. Because the risk exists. And the fear. And ultimately because the value is in the data.

As our laws strive to catch up with the identity theft issue, we must define the theft at the point of data breach, not at the point of financial gain.

In the survey we recently conducted with Harris Interactive, we tried to gain an understanding of what adults in the US are currently thinking as it relates to identity theft. Here are a couple of interesting things that I learned:
1. Consumers’ action to prevent identity theft is higher than we thought. Specifically, consumers know and are taking the basic steps like changing their online passwords more frequently. That’s good.
2. Consumers are willing to take action, even if it’s inconvenient, if they are notified that their private data has been compromised. Specifically, they are willing to stop doing business with a retailer or a financial institution if they are notified that their data has been compromised.

My take-away here is that the power is with the consumer. Consumers are savvy about the identity theft issue. Consumers are willing to vote with their wallets, even if it’s a pain in the neck, and take their business elsewhere. So, increasingly, individuals are doing their part.

Companies need to take the steps necessary (and maybe tell their consumers what they are doing?) to increase consumer confidence. My recommendations to them are secure your data, secure your buildings, secure your networks – all of which ultimately come down to know WHO you are letting in and WHO you are keeping out.

And – stop using SSN as an identifier! One reason identity theft has so much power is in its potential. You can search for and find, John Doe’s social security number if you hack into any of thousands of databases – alma maters, credit card companies, insurance companies. But what if we could – and I believe we can, (CAUTION: shameless plug ahead – using Sun’s identity management technology) – completely eradicate the use of social security numbers as a primary means of identifying people? What if we could use technology to go find everywhere you have this nine-digit number, with or without dashes, and take it out? After all, only the U.S. Social Security Administration really needs your social security number.

We have, in one of the identity products, the ability to randomly generate a number, so your number could be 123A7 and that would be your health-care number, for example – a number that will never be used again, is always associated with you, and is in no way, and in no place, tied to your social security number. Outside the context of your healthcare network, it is a meaningless number.

Less meaning = less risk.

We have made some progress here, my SSN for example is no longer on my healthcare card and I know many universities are no longer using SSN as the student number. I suspect, however, that SSNs are sitting in thousands of fields in thousands of databases and that is a problem. (A problem that the right Identity solution can help you solve…OK, I’ll stop).

I know I sound like a broken record, but once again that makes the point that security is changing – it is moving from a “lock it down” overhead function to a business driver. If Web 2.0 is to happen, if we are to enter the Participation Age in a meaningful way, then security will be a key driver behind the next wave of (networked, online) growth.

Wednesday Nov 23, 2005

Canadian Seminars Next Week

For those of you in Canada, Sun and Deloitte are hosting a breakfast seminar in Toronto and Ottawa, November 29th and 30th respectively. The seminar series is focused on increasing growth and decreasing risk with identity management: privacy and security compliance that's good for business.

I'll be presenting along with Andreas Faruki, a partner for Deloitte's Identity Management & Privacy practice in Canada. And, in Toronto, Dr. Ann Cavoukian, Ontario's Information and Privacy Commissioner will be joining us. She recently published a white paper on Identity Theft entitled "Identity Theft Revisited: Security is not Enough".

For the Ottawa event: Click here to get details and register.

For the Toronto event: Click here to get details and register.

Friday Nov 18, 2005

Pics from Burton Catalyst Munich

The identity team recently returned from Europe where they met with our customers and also participated in Burton Group's Catalyst event.

Here’s the team celebrating another great show. Of course, I’m assuming this is AFTER the show and not just a working lunch!

Shown here: Andy Land, Julie Pastor, Eric Leach, Tamara Rezler, Bianca Botello, Don Bowen, Etienne Remillon, and Nick Crown.

Sun was one of several vendors hosting the famous hospitality suites where we demonstrated the products and had a fabulous time meeting our European customers and partners. It was a full house!

And, to keep in line with our space theme, we featured an Oxygen Bar which seemed to be as big a hit as our product demos - here it is with some very happy customers

In case you missed the show (and the suite), you can watch the demo on your own time on the website.

InfoWorld Identity Challenge: A Correction

Normally, I stay out of promoting product-specific coverage but this is something I cannot keep to myself. Sun recently participated in an identity management “shootout” with InfoWorld and several vendors. Sun placed in the top 2 but was dinged on pricing (I won’t get into “value” just now…). After we had a few discussions on the pricing model they applied, InfoWorld revised the product review to include the accurate pricing to use in a vendor comparison. Although they will not revise the scores, I feel confident this change would have significantly changed Sun's place in the final order (you do the math—top two, etc., etc.).

My friend Pat Patterson blogs on this as well citing some great reviews that Sun identity management received. The revised article is now updated online and the specifics on the correction are listed at the end of the article as well.

Thursday Nov 17, 2005

Stealing the Grinch's Christmas

For kicks, the Sun identity management marketing team participated in an internal competition driven by Sun’s CMO today. The challenge was to create a radio spot that explains the benefits of our technology in an easy-to-understand manner in the form of a radio spot. I just had to share the end product with you because 1) it's quite fun, and 2) the team was able to tell a simple story making it easy for the general public to understand what identity management can do for them. A task that is not always easy in this market.

Have a listen, it’ll only take a minute or so, and it’ll get you in the holiday spirit.




« December 2016