Access Governance Strategy

Identity and Access Management (IAM) projects are often initiated due to an audit finding or security review. These projects have limited management focus — really, if we’re honest about it, a compliance driven project is launched to fix a specific problem in the business. The project is expected to be delivered on time and on budget, and is wrapped after addressing a specific business need.

An Access Governance program doesn’t lend itself to this type of tactical approach. Access Governance needs a strategy, one that will help drive initiatives over the mid- to long-term. This is true even when (or perhaps especially when) an initial project is launched due to a compliance problem.

Access Governance has a longer life cycle than audit or security reviews, which are typically annual events. This is because access is something that crosses business boundaries, requires complex systems integration, and is dynamically changing as the business changes.

Business or IT strategies can help programs like Access Governance get established and funded. A strategy for access can critically assess business needs, develop roadmaps for addressing those needs, and help management to set performance measures.

When setting out to develop an Access Governance strategy, there are some key activities to be considered:

  • Know the audience — Is the CIO the primary reader of the strategy, or will it be used by multiple executives and managers?  A clear understanding of the business audience is crucial before embarking on the development of a strategy.
  • Identify relevant business goals — What is the organization trying to accomplish? What are the business goals for the next three to five years? Read the business plan and look for ways that access management can support those goals.
  • Link Access Governance to business strategy — This is the key to the process and it must be done well. Explaining how a program of Access Governance helps move the business forward is critical. But linking Access Governance to business goals needs to be realistic and defendable if the strategy is going to be adopted.
  • Identify champions — The strategy needs to be built with full support of those business leaders that will receive the benefits of Access Governance. Make them part of the strategy development process and listen to their input. You’ll be rewarded with loyal supporters of the program.
  • Develop a readable strategy — There is nothing worse than a dense, technical document passing itself off as a strategy. Strategies need to be filled with business language. They must use terms that the audience understands, and they need to be structured in a way that encourages reading. Costs need to be identified and provided in both summary and detailed forms. Illustrations and models are key, and a realistic project roadmap diagram is mandatory.

Once the strategy is approved, a program for Access Governance can be developed. Soon, priority projects will begin to deliver strategic results, and your supporters will realize the measurable benefits of having a strategy guide this crucial program.


e-Voting and Identity

In my own city, Edmonton, they have been talking up e-voting for a while now.  There was an announcement yesterday that a pilot project is being conducted to validate the process of running an online election.  (More information can be found here and here.)

First of all, I think that this is exactly the type of pilot project that governments must run to be progressive and forward-thinking.  These types of initiatives are high value, not just to validate a solution for this defined need, but for the organization’s other online initiatives.  And the proposed e-voting identification process is an interesting one…

To be frank, I don’t have e-voting very high on my personal list of municipal problems to be solved, BUT I do have a keen interest in how people are identified online.

The City’s new project has an identity proofing process for this pilot project.  It includes a unique method of collecting identity proofing documents that I haven’t seen before: citizens scan (or take a picture of) their real-world identification, then upload it to the City’s website.  Allowed documents include drivers license, passport, Canadian military cards, etc. (see sidebar).

The image of the identification document is then reviewed manually by employees in the elections department and presumably compared to lists of eligible voters. Only when the document matches up with a previously registered voter will a credential be issued to the citizen for voting purposes.

This approach is convenient to citizens, or at least those that are savvy enough to scan a document and upload it to a website (which is probably a pretty high percentage of those that will consider online voting).

But whenever I see ‘convenience’ cited as a reason to do something online, I can’t help but look for the security and privacy compromises required to make that thing convenient.  On first review (I haven’t done a deep dive s feel free to correct me!) here are a few things that might be compromised by such a process:

  • How does the process ensure that the citizen is in control of the document at the time e-voting registration takes place?  For example, the passports for a household might be stored in a filing cabinet.  Let’s say one member of the household is politically active and the rest don’t vote at all.  How difficult would it be for the one family member to round up the passports and create multiple e-voting credentials?
  • There may be a privacy issue here.  Scanned identification documents contain a payload of sensitive information.  My passport has my legal name and birthdate — two attributes that are useful for the voter vetting process.  But it also contains my passport number, my place of birth and my citizenship.  None of these attributes are needed by this process, and should not be collected and stored as part of the process. (Update: The City’s 311 service has informed me that the data will be stored in Canada and destroyed no later than December 31, 2012. Also, only authorized personnel can view the data and they are subject to confidentiality agreements.)
  • Finally, how can one be sure that the scanned identity document has not been digitally tampered with? Paper and plastic documents have physical safeguards to increase reliability.  For example, the Alberta drivers license has a hologram on it and ‘declined width text wave’ feature (and these are just two of a dozen security features).  How do these features translate to the scanned image? Assuming many of these features do not translate well, how well does the scan of the document actually prove the citizen’s identity? As a comparison, would such a scan, subsequently printed, be acceptable as ID at the polling station?

It will be interesting to see how these and other challenges of e-voting will be overcome in the coming months.


Personal data and a new business model


Instead of thinking of the digital data as something collected by others and somehow used against you, it becomes a mechanism for you to get companies to send you information about things you actually want to buy.

Wordle of, located in the Washington, DC area, have built a personal data service that encourages users to enter personal information into Personal’s cloud-based vault.  The service allows people to organize their data into ‘gems’, then send this information to family, friends and business associates.  Here are some quick-hit videos that explain the company and the concept.

I have direct experience with personal data vaults and, frankly, the uptake on this type of service is currently poor.  It may well be a generational thing, and perhaps time has to pass before enough people will trust a cloud service with their secrets.

But I think that the real obstacle for existing personal vaults may well be the current ‘user pay’ business model.  People don’t see the value in a paid-for personal data service — but could they use a service that allows them to control and sell their own personal data?

Personal’s model anticipates a future where advertisers will seek out personal data from prospects and pay for the information.  Personal is hoping to capitalize on this by becoming the  broker for millions of personal data transactions, and take a percentage of the transaction fees as commissions.  We — as rightful owners of the data — get the rest!

Is this the future of personal data? Are we seeing a move away from intrusive data collection for the service operator’s profit alone (the Google and Facebook models) to a world where we own, control and reap the benefits of our own information?


Privacy at risk in Canada?

privacy commissioner concerned over new legislationAn important issue is being raised by our federal Privacy Commissioner around changes to legislation to combat online fraud and other crimes.  These changes look to be more than cursory — they would potentially create a legal environment where law enforcement can implement excessive surveillance on Canadians.

To quote Jennifer Stoddart’s letter to Vic Toews, the Minister of Public Safety:

By expanding the legal tools of the state to conduct surveillance and access private information, and by reducing the depth of judicial scrutiny, the previous bills would have allowed government to subject more individuals to surveillance and scrutiny.  In brief, these bills went far beyond simply maintaining investigative capacity or modernizing search powers.  Rather, they added significant new capabilities for investigators to track, and search and seize digital information about individuals.

This is an important issue, one worth paying attention to over the coming months.


Update: See the Privacy Law blog’s post and an editorial from Ann Cavoukian, the privacy commissioner for Ontario.

Oracle IAM strategy

Here is the strategy as described in the Oracle Software Strategy presentation yesterday:

Identity Management
Product Strategy
• Oracle Identity Management Suite continues as strategic family of products
– Oracle will support both Oracle Internet Directory and Sun Directory Server with common LDAP administration
– Sun Role Manager becomes Oracle’s Strategic Identity Analytics offering
– Oracle Identity Manager remains Oracle’s strategic Identity Provisioning and Identity Lifecycle Management product
– Oracle Access Manager remains Oracle’s strategic Access Management and Fine-Grained Access Control product
– Oracle’s Virtual Directory, Enterprise SSO, Entitlements Management, Identity Federation continue as strategic
• Oracle continues to invest in and share technology between Sun and Oracle products
– Sun Identity Manager will see continued investments and integration with OIM (SPML Adapter Framework)
– Sun Open SSO will see continued investments and integration with OAM (Secure Token Service)
– Oracle continues to maintain Open DS
• No change in support timelines or distribution model for Sun products
It is not really a surprise that the Oracle suite makes up the majority of the strategic direction.  I recall a conversation I had with an Oracle rep from the fall — the investment Oracle has made in middleware in the past few years has been huge and it would seem unlikely they’d ditch that code.  Sun Role Manager (formerly Vaau) wins and some of the other pieces (Directory Server and parts of Identity Manager) will be blended in over time.
Based on this announcement, Sun customers will appreciate no change in support and end-of-life product timelines.  If they are running current versions, it would seem that there is ample time to plan for migration to the strategic platform.

Oracle and Sun — What will happen to IAM?

Interesting blog post yesterday from Earl Perkins, one of the Gartner IAM analysts.  He notes that Oracle didn’t rate the IAM product high on the list of reasons to acquire Sun — it is basically an after-thought to the acquisition.  He points out that their profit motivation will drive them to keep Sun customers happy and may drive a two-product strategy going forward.

Oracle aren’t likely to make a rash decision that will reduce revenue potential and customer retention/acquisition.  The message is that no matter the course chosen, he believes that this will be a 5 year transition.


A Vision for identity management in Canada

The overarching vision of the Task Force has been a Pan-Canadian IdM&A Framework that
supports access by citizens and businesses to a seamless, cross-jurisdictional, user-centric,
multi-channel service delivery experience when interacting with government.

IAM strategy consulting

Most of my consulting work consists of advisory, planning and delivery services in identity management.  So it is no surprise that one of my interests is in seeing how the Pan-Canadian Identity Management & Authentication Strategy can be applied to a variety of IdM projects.  This strategy holds promise for the future development of a national identity framework, one that can cross government jurisdictions and programs.

The Task Force that developed the strategy established a clear vision:

The overarching vision of the Task Force has been a Pan-Canadian IdM&A Framework that supports access by citizens and businesses to a seamless, cross-jurisdictional, user-centric, multi-channel service delivery experience when interacting with government.

For those of us (all of us?) that have had dealings with federal, provincial and municipal governments, this is clearly an ambitious vision. It is fair to say that even working within a single government department today — let alone across jurisdictions — is not seamless and rarely is it multi-channel.  When working between different government departments we encounter a patch-work of online, phone and in-person services that require us to present identification at each step and in inconsistent ways.  Improvements in these areas are clearly in our best interest as citizens and tax payers.

The Pan-Canadian vision promotes standards collaboration.  There must be a basis for establishing ‘trusted, collaborative relationships across jurisdictions’, and only through agreed-to standards can we make this goal a reality. This is particularly true in the high-value online service delivery channel.  Identities for use with applications that require high levels of identity assurance must be well supported by issued organizations to be effective in a cross-jurisdictional use case.

The vision also recognizes the importance of leveraging existing IdM infrastructures — clearly many jurisdictions (and departments within) have IdM services in place that can be adapted and leveraged.  The Pan-Canadian vision does not compel organizations to discard functioning systems, and this shows up in one of the service delivery design principles:

The ability to leverage existing infrastructure and the increased interoperability of systems.

So how does such a vision get realized?  How does a country that is famous for regionalism and inter-jurisdictional disputes move towards a unified and collaborative model?

  • First, governments can improve the chances of realizing this vision by making identity management a priority. In a country as prosperous as ours, the issue is rarely funding but rather one of priority. Establishing that e-government and e-business need IdM to fuel economic and social development in Canada is key to moving forward.
  • Second, the momentum that we are now seeing in implementing the Pan-Canadian strategy needs to be maintained. In-flight projects need to be completed, new ones identified and communications between all parties increased.  Flexibility in the establishment of standards — recognizing differences and allowing for variances — is necessary if all parties are going to participate fully.
  • Finally, the standards that emerge from the project work need to be quickly codified and become mandatory for inter-jurisdictional transactions. I realize that ‘quickly’ is a relative term, but we can’t be talking about standards development five years from now — we need the basic standards and protocols established in the next 12 months if we are going to catch up to what the rest of the world is doing.

A vision of a seamless, cross-jurisdictional, user-centric, multi-channel service delivery experience is very much in the ‘go big or go home’ category — and now that governments are starting to become engaged in the execution of the Pan-Canadian strategy, it will be interesting to see how the resulting solutions match up to this ambitious vision.



User-Centric IdM for the Public Sector

Moving forward, user-centric Identity Management is clearly an interesting alternative to centralized systems.  The promise of a solution where the user has choice over how and what identity information is shared with Service Providers is worth working towards.  It is not surprising that user-centricity is finding its way into pilots and initial implementations in the public sector.

It is becoming clear to me that user-centric IAM is a philosophy / model / strategy that is well-suited to government implementations because it has potential to return ownership of identity information to individuals, many of whom access multiple public services.

If they can avoid it, Canadian governments do not want to hold identity information outside their highly secured core registries.  These government departments recognize that our relatively tough privacy laws prohibit retention of information beyond what is needed to deliver a service.  Storing additional identity information, or unnecessarily storing the same information in more than one place, increases the risk of breaches and identity fraud.

Adopting user-centric strategies can reduce the volume of sensitive data to be managed, move privacy decisions closer to the user and make governments more compliant with their own legislation and policies.  Perhaps most importantly, as Dick Hardt’s Identity 2.0 presentation made it clear, user-centric IdM allows the creation of privacy- and user-driven solutions that mimic the real-world we live in.

This is possible because many systems do not necessarily require identification, but rather authorization.  Or if they do need identity information, they need it to support a transaction and have little need to store it after the transaction is completed.

Think about an e-commerce transaction using a credit card.  The system does not actually need to permanently store identity information. Rather, it needs to know that you have the funds to cover the transaction.  The key information is the card number.  Your name is only provided to support the transaction, i.e. to verify that the card being used can be matched to an accountable card holder.  If these authorization elements are present in the transaction (and not disputed later) then the business can be conducted.  The storing of the name information beyond a reasonable dispute period (say 45 days) is unwarranted.

When faced with breaches of identity information, goverments may soon find themselves needing to identify less.  It may seem counter-intuitive, but for certain low-value business transactions, a government organization may not actually want to know very much about those individuals, or at least they don’t want to have to store information about them in local databases.  What they do want is to ensure that these citizens are authorized to access the system and the information it contains.

An example of a provincial service that could likely dispense with traditional retention of identity information would be a system that issues a fishing license.  When issuing the license, it is important for the individual to properly identify themselves so that their name can be printed on the actual license document.  The license then authorizes the named individual to fish, so after the transaction it is important to have that identity information on the card to support an enforcement officer’s needs for proving ‘eligibility’.  While the issuing department may make a case for retaining the identity information in a license database, does it need to have its own Identity Provider service — chock full of duplicated identity information? Can it not simply trust one of several provincial or federal Identity Providers?

In time, this user-driven approach should result in fewer identity providers and many more relying service providers.  In a provincial government, there could conceiveably be three or four identity providers.  These could be linked to key registries such as HR (for internal users) or public education, health or motor vehicles (for citizens).  Add to this a federally provided IdP, perhaps based on tax records or a passport database, and citizens would have real variety in IdP services.

Moving to user-centric IdM with real choice in identity provider services can provide greater privacy protection and reduce the complexity of government electronic service delivery.


User-Centric IdM

I’ve been working on an Identity Management (IdM) strategy for a client over the past few months.  They have been investing in IdM solutions to meet their needs for several years, so it was becoming important for them to look at the bigger, long-term picture.

A key recommendation in the strategy is to establish user-centric IdM in this organization.  This is based on emerging research that shows users desire more control over identity information, even if that control amounts to simply viewing the information the IdM system possesses.

As I’ve commented on this blog a few times, this emerging user trend is being talked about regularly in industry circles, by select academics and by identity management ‘thought leaders’.  User-centred, or user-centric, IdM can provide practical approaches to meet the increased needs of individuals who wish to better manage their own identity information.

What is less reported and commented on is that user-centric IdM is not a technology, but rather a model or philosophy that is primairly concerned with putting user needs first in IdM solution design.  To be successful, designers of user-centric solutions have to consider the user identity’s full life-cycle and be ‘in tune’ with their needs for privacy and control.  Two noted examples illustrate this point.

Three years ago Kim Cameron came to my city to talk about information cards.  This was a completely new paradigm for those of us that had been designing and building centralized IdM systems.  Mr. Cameron’s use case that day was the payment of an online purchase.  He showed how a user with a Visa account could use an information card to present a cliam to an e-commerce site.  The claim didn’t have to provide any details about the user — simply that the user had been authenticated and that they, Visa, would honour the payment.  All the e-commerce site had to do was present this claim to Visa in order to receive payment.  The user in this scenario did not have to supply personal information to the web site in order for the payment to be processed (of course, a name and address would need to be provided to the shipping department, but that was outside the actual financial transaction).

Around the same time, Dick Hardt was wowing them at the O’Reilly OSCON conference with his Identity 2.0 presentation.  His use case was that of how he, a responsible adult, might purchase a quality vodka product from the local liquor outlet.  The main point was this: in real life we present credentials of our choosing to clerks in order to prove an aspect of our identity, such as our current age.  Liquor store clerks don’t need to record our name and address in order to conduct the transaction — they simply need to verify that the birthdate works out to the correct minimum age for the purchase and, in effect, discard the information after the transaction is completed.  Mr. Hardt goes on to say that there are technology solutons that can virtualize this approach, hence user-centric and privacy-smart identity solutions can emerge.

In both these cases, the needs of the individuals are considered first.  Mr. Cameron could easily have stuffed the vitual credit card with user information, and made the case that the e-commerce site would highly value that information (think Facebook).  Similarly, Mr. Hardt’s example focused on the only reason the individual would want to present identity information: to confirm one aspect of their, that being their age.  Both of these are in tune with the demands of privacy-aware citizen and are excellent examples of user-centric philosophy.

Centralized systems, like the Canadian government’s ePass, scale to millions of users and are well understood by users and designers alike.  But these legacy systems are fraught with challenges related to security, lack of privacy controls and, potentially, accusations of ‘big brother’.  In no way are these system user-centric — they simply were built in a time when user ‘control over identity’ needs were not a priority.

For organizations like large companies and governments, these systems do a disservice because they ultimately will discourage privacy-aware individuals from using the very online services the IdM system is intending to enable.  Only by adopting user-centric philosophies in solution design can IdM systems meet the changing needs of individuals in an increasingly privacy-aware world.


CIPS Security Lunch

I offered up a presentation on Identity Management to the local CIPS Security Special Interest Group a few weeks back, and yesterday was the day to present.  I titled the talk Evolution of Identity Management.

The presentation highlights the changes in IdM over the past few decades, from system administrator-controlled centralized systems, to the latest in federated and user-centric models.

Many thanks to CIPS Edmonton for inviting me, and an extra-special thanks to my client, Alberta Advanced Education and Technology, for letting me ‘re-cycle’ some slides for inclusion in the talk.