Words matter

I should know better.

I walked into a meeting of business types recently and started talking about their IAM service, how provisioning would be implemented and how SSO was part of the next release. SSO was going to be a good thing. Their users would very much enjoy SSO!

Except that they had no idea what SSO was…

The thing is that the audience — all very capable professionals in their own right — were having a hard enough time with the acronym soup already presented. They were still struggling with the picture of permissions for users being moved from one system to another. They were all still mapping their view of what the application did with what IAM would bring to the table. Their gaze grew distant, shoulders sagged, connection closed.

Why didn’t I just say Login Service? These people login to their computers every day. They login to their online banking, and their Facebook accounts. They login to their phones. They get login.

Words do matter in IAM. Figure out who you are talking to and use the right ones.


Recent IAM reading…

I didn’t blog or even tweet much over the holidays, but I did manage to catch up on a few good posts and articles while lazing around…

  • The Quest to Replace Passwords — Extensive report on challenges with replacing password (HT@aniltj).  The table on page 11 is worth a good study for anyone interested how various password-less authentication options stack up.
  • Identity Management on a Shoestring — An excellent report on how to implement IAM in an enterprise without spending years/millions.  Uncanny resemblance to work I’ve been involved with in the past several years, i.e. customized implementations that are not constricted by the cost and complexity of COTS solutions.
  • Economic Tussles in Federated Identity Management — Another excellent paper, this time on the economic issues related to Fed ID.  Points out how successful implementations occur when IdPs, SPs and users all receive benefits.
  • OASIS Identity in the Cloud Use Cases — A list of 29 use cases that are a solid reference for future IAM projects that involve cloud services.  (HT to @RBsTweets.)
  • Gov’t of Canada SecureKey page — A summary of SecureKey and the Canadian federal organization and legislation that supports its implementation.  Would be nice to see a link to the PIA…

These should get your new year off to a good start – happy 2013 everyone!


72 things I’ve learned about IAM

72 door-opening thoughts…

In 2006, after three years of working with an inflexible vendor to implement immature identity and access management technology, my client asked me to document some lessons learned from the projects.  I’ve done a couple of talks with these findings over the past few years and these lessons have influenced my approach to IAM project delivery ever since.

[Click here for a Prezi of this post…]

In the past few months, I’ve come across blog posts related to identity management best practices and lessons learned, such as this one from Mark Dixon. These observations mirrored my own in some ways, and differed in others, so I thought I’d put together a top 10 list things I’ve learned, including some useful advice on identity.

The only problem is that in preparing the list I cruised past 10, then 20 — and before long I had itemized 72 things that I’ve learned about IAM since I entered this niche seven years ago.

In keeping with the fashion of today, each entry will be 140 characters or less…

  1. IAM is a tool for business; it has little to do with technology.
  2. Business people are frequently shielded from making IAM decisions.  It is not clear why this is so.
  3. Develop an IAM strategy in 2010.
  4. If you aren’t ready for a strategy, consider an IAM assessment so you at least know where you are at.
  5. Products have improved greatly in the past seven years.
  6. Delivering IAM is still difficult — there are too many disciplines involved and not enough fundamental understanding.
  7. If not managed, all IAM business decisions would be driven by user convenience and process simplicity.
  8. Information security professionals need to influence these IAM implementation decisions.
  9. Some of the best resources for an IAM project are senior software developers.  Tech analysts often don’t get it.
  10. Information security analysts need to understand that IAM enables — they often get caught up on the protection bit.
  11. All IAM projects need business analysts.  Every. Single. Project.
  12. IAM should be delivered as a program, not a set of loosely connected projects.
  13. An IAM program needs deliberate governance and formal communication.  Just winging it won’t work…
  14. Build an IAM roadmap.
  15. New to IAM? Start small: proof-of-concept, then a pilot, then small app in production, then the big one (in stages).
  16. IAM needs to be driven by policies and standards — without these in place, IAM will flounder.
  17. Support IAM with good IT and security architecture.
  18. Many IAM experts I’ve come across online are  obsessed with technology and rarely link to the business.
  19. Avoid ocean boiling — leave fine-grained entitlements with the application to worry about (for now).
  20. Strong identity assurance is poorly understood.
  21. Strong authentication is useless without good identity assurance processes.
  22. Strong identity assurance processes are difficult without face-to-face identity validation.  But not impossible.
  23. A strong authentication device does not make a secure system.
  24. Strong passwords do not equate to strong authentication.
  25. By their actions, Canadian banks don’t understand strong authentication, but are masters at strong identity assurance.
  26. Many enterprises are still drinking RSA’s kool-aid and are blind to other strong authentication options.
  27. Some strong authentication technologies, such as smart cards, can get you into buildings.  Think convergence.
  28. Some web sites have silly ideas about passwords and security.
  29. Most senior execs do not understand how IAM can both protect and enable their core business.
  30. Most IT execs can’t explain how IAM can both protect and enable their core business.
  31. Most techs don’t understand how IAM enables business.
  32. Many vendors are starting to understand how IAM can both protect and enable their clients’ businesses.
  33. IAM is not just about electronic access — people access information in all kinds of ways, and from myriad locations.
  34. Two IAM geeks talking will induce lethargy on any bystander within ear-shot.
  35. IAM is an enabler for any organization that serves people with disabilities.
  36. IAM is largely being used for low value transactions.  ROI will sky-rocket when the important stuff comes along.
  37. In IAM, sometimes clicking ‘I Agree’ is not sufficient.  Blue ink on white paper can still be still necessary.
  38. Federated identity can cement business relationships — for good and bad.
  39. Federated identity excites people.
  40. Federated identity scares enterprises.
  41. Federated identity challenges are not technical — most issues are related to process and agreements.
  42. There will be a boom in the coming years for businesses that provide identity assurance services to enterprises.
  43. IAM systems collect way too much information for the access requirements of most business applications.
  44. IAM stores are gold mines for identity fraudsters.
  45. Pan-Canadian IdM&A still rocks, even if it is only partially developed and is horribly communicated.
  46. Canada is behind the US and Europe in IAM implementations.
  47. People still trust passwords even though they shouldn’t.
  48. The best book on identity is Jim Harper’s Identity Crisis.  Read it.
  49. Vague IAM prediction for 2012: Microsoft.
  50. IAM projects often get dragged into enterprise confusion about the identity information that they already hold.
  51. Young people are starting to become more privacy aware.  Slowly. And it is probably too late for most of them.
  52. There are no Canadian university researchers interested in identity. Zero.  None. (Are there?)
  53. American views of identity are heavily focused on protection.
  54. Canadian views on identity are heavily focused on privacy.
  55. IAM solutions for health care are difficult due to perceived and real risks.  The challenge is to know the difference.
  56. Identity can’t get in the way of delivering health services, even if it can link a patient to his/her records.
  57. A risk management approach must be taken towards all IAM projects.
  58. Security in layers for IAM solutions is a good thing, but poorly understood.
  59. Certifying IAM processes is critical if common identity assurance and authentication practices are to take hold.
  60. End users of IAM systems are more capable and responsible than we give them credit for.
  61. IAM systems are very difficult to make highly available — too many pieces.  But most apps don’t need high availability.
  62. Those that ask for IAM high availability often don’t have well-developed reasons for it.
  63. 90% of IAM traffic is authentication.
  64. 10% of the work in an IAM project is to figure out authentication and strong authentication.
  65. 10% of IAM traffic is related to registration/enrolment.
  66. 90% of the work in an IAM project is needed to build a compliant registration/enrolment sub-system that works.
  67. Copying a driver’s license to screen customers should result in more than an order from the privacy commissioner.
  68. Relying on existing data stores or directories for an IAM user store is risky — most user data is in terrible shape.
  69. Help desk staff must understand and follow formal identity assurance processes when dealing with IAM users over the phone.
  70. Having users self-register and self-enroll into business applications can be very effective.
  71. Powerful user-self administration is just around the corner.

and finally,

72. People are what matters in IAM, not ‘users’, ‘stakeholders’ or ‘customers’.  Think people and IAM gets easier.

Happy 2010!


PS2009 — Nicholas Carr

Feb 4th, 8:35am

Nicholas G. Carr, Author

Mr. Carr’s 2003 Harvard Business Review article and follow-on book, Does IT Matter, forced organizations to rethink IT’s role in developing and executing strategy.  His current book is called The Big Switch examines the impact of cloud computing on business, culture and society.  An excerpt:

At a conference in Paris during the summer of 2004, Apple introduced an updated version of its popular iMac computer. Since its debut in 1998, the iMac had always been distinguished by its unusual design, but the new model was particularly striking. It appeared to be nothing more than a flat-panel television, a rectangular screen encased in a thin block of white plastic and mounted on an aluminum pedestal. All the components of the computer itself – the chips, the drives, the cables, the connectors – were hidden behind the screen. The advertising tagline wittily anticipated the response of prospective buyers: “Where did the computer go?”

But the question was more than just a cute promotional pitch. It was, as well, a subtle acknowledgment that our longstanding idea of a computer is obsolete. While most of us continue to depend on personal computers both at home and in the office, we’re using them in a very different way than we used to. Instead of relying on data and software that reside inside our computers, inscribed on our private hard drives, we increasingly tap into data and software that stream through the public Internet. Our PCs are turning into terminals that draw most of their power and usefulness not from what’s inside them but from the network they’re hooked up to – and, in particular, from the other computers that are hooked up to that network.

This talk was an easy way to start the day.  As I was absorbing my first caffeine infusion, it was satisfying to sit back and listen to Carr talk about how the early 20th  industrialists switched from water power to electrical grids in the space of a few decades.  The predominate power generation systems in the 1800s were privately owned water-wheels that drove mechanical factories. All this changed late in the century with the advent of centrally generated electricity. By 1930, 90% of all power generation came from grid utilities.

It is this type of disruptive technology event that Carr links to today’s increasing use of Internet computing resources, aka Cloud Computing.  He makes the point that computers and storage that are privately owned are underutilized and require large labour efforts to maintain. Further, this labour is disproportionately spent on ‘keeping the lights on’ with only 30% of effort dedicated to creating new systems or directly supporting business automation.

Today there is a huge trend towards large-scale server farms that offer high efficiency and low cost.  While this is nothing new — timeshare mainframes were all the rage in the 1970s — there are two significant differences with today’s Cloud Computing infrastructure:

  1. Server virtualization technologies offer enormous scalability and flexibility. Applications that need additional power can have capacity added almost instantly.
  2. Network capacity has finally caught up with computing power.  For many years we have had enormous leaps in processing power that were not matched by increased network bandwidth.  But today, high-bandwidth connections are the norm and we not longer need to be physically close to our computing resources to deliver enterprise applications.

Another important development is that the model is already proven with consumer (think Web 2.0) applications and massively successful business applications like SalesForce.  The more enterprise IT sees these type of deployments, the more likely they will consider Cloud Computing as an option to reduce costs and increase capabilities.

Carr makes the assertion that Cloud Computing is a disruptive technology, and that users of traditional, self-hosted systems will likely be caught by surprise as this trend becomes more prevalent. 

He does recognize that there are some important consequences of Cloud Computing:

  • data is now centralized and connected over the web;
  • information security is more important — mostly because the risks of breach and downtime are increased; and
  • organizations may need to trade privacy (think Gmail) for convenience and low cost operations.

Governments have been slow to make the switch to Cloud Computing, likely for the three reasons highlighted above.  There is a big concern around where data is stored — most Canadian organizations, especially government ones, will not accept personal or confidential information to be stored outside of Canada.  Because Cloud Computing is so virtualized, it is possible that a service provider could not only store the databases in, say, the US, but move them to server facilities in one or more other countries without notice.

His final point was a slide showing a common power outlet surrounded by a large collection of now-common electrical appliances.  Harkening back to his earlier point about electrical grids, Carr illustrates how ubiquitous electrical power spawned a wave of innovation in device design that would take advantage of that utility.  

I think that Carr’s observations are well developed and he’s almost certainly correct is saying that many IT shops will move applications and infrastructure to the Cloud in the future.  I’m less convinced that government bodies will be so enamoured with a technology that has yet to prove it is sufficiently secure, privacy-conscious or reliable as those system they operate today.

One thing is certain: the next few years of the disruptive technology that is Cloud Computing will be interesting to experience.


PS2009 — Telus/Rotman IT Security Study

Feb 3rd, 10:10am
Live blog post…

Alan LeFort from Telus presented on this Canadian IT security practices survey and study:
– 60 percent of Gov’t don’t enforce their security strategy
– 4 percent of Gov’t orgs reported financial data loss
– 1 in 11 have lost confidential data
– private organizations almost 3 times more likely than Gov’t to communicate security issues with stakeholders
– IT security investments directly impact (reduce) security incident reports
– Gov’t strong in network security, weak in application security (e.g. lack of strong authentication)
– breach costs average 23 percent higher in Canada vs US
– private sector paying 35 to 40 percent higher salaries for security staff

The 2009 study will target 800 respondants (up from 306 in ’08). Currently looking for input to survey design — Google ‘Rotman Telus Security Survey’ to find site.


Identity Quotes from The Incredibles…

identity is your most important asset

I spent a good part of the holidays watching and overhearing my young son play (and replay, and replay…) his favourite movie, The Incredibles.  Some great, great lines in that movie — and a few good ones on the subject of Identity.  Here is a compilation of identity-related quotes from that show, plus a few good ones from other TV shows and movies.

The Incredibles (2004)

Helen/Elastigirl (talking to her daughter Violet): Put these on. Your identity is your most valuable possession. Protect it. And if anything goes wrong, use your powers.

The Office (2005)

Dwight Schrute: Identity theft is not a joke, Jim!

The Incredibles (2004)

Helen: Of course I have a secret identity. Can you see me in this at the supermarket? Come on! Who’d want to go shopping as Elastigirl, know what I mean?

The Simpsons (1989)

Barney: [to Adam West] So long, Superman. Your secret identity is safe with me.

The Incredibles (2004)

Mr. Incredible: Of course I have a secret identity. I don’t know a single superhero who doesn’t. Who wants the pressure of being super all the time?

Star Trek (1966)

Computer Voice: Voice print & identity verified & correct sequence 2 complete

The Incredibles (2004)

Lucius/Frozone: Superladies? They’re always trying to tell you their secret identity… think it’ll strengthen the relationship or something like that. I say, “Girl, I don’t wanna know about your mild-mannered alter ego or anything like that. I mean, you tell me you’re, uh… S-Super, Mega, Ultra Lightning Babe, that’s alright with me. I’m good… I’m good.

Here’s hoping your identity challenges are less worrisome than those of Frozone or our friend Barney… Happy holidays, I hope 2008 was a good year and all the best in the New Year!


Identity Quote

Why bother with Identity Management?  Sir James Crosby, a former bank CEO and the Deputy Chairman of the Financial Services Authority in the United Kingdom has this to say:

 “… those countries with the most effective ID assurance systems and infrastructure will enjoy economic and social advantage, and those without will miss an opportunity. There is a clear virtuous circle. The ease and confidence with which individuals can assert their identity improves economic efficiency and social cohesion…”

In two sentences Sir Crosby fairly summarizes why IdM has become such a priority for governments and the private sector — so many of the advantages of e-government and e-business are increasingly dependendent on knowing who is at the end of the line.  Without effective identity proofing, a well issued and managed credential, good authentication methods and full life-cycle management of user credentials, it becomes difficult for organizations to conduct their business online.

And in these uncertain times, who doesn’t want a little ‘economic and social advantage’?


Security and Privacy Quotes

Here are the weekend quotes, a day early…

On security:

Security is mostly a superstition. It does not exist in nature, nor do the children of men as a whole experience it. Avoiding danger is no safer in the long run than outright exposure. Life is either a daring adventure, or nothing.Helen Keller, author and activist.  Keller, who was deaf and blind, was an advocate for many progressive causes including women’s suffrage and inclusion for people with disabilities.

On privacy and youth:

“Young people are very adept and comfortable with electronic communication. As advocates, we have to help young Canadians find the information they need to be their own privacy watchdogs” — Irene Hamilton, Manitoba Ombudsman, speaking at the semi-annual meeting of Canadian Privacy Commissioners, June 4, 2008.  Visit youthprivacy.ca for more information.

On common sense?

“Many companies need to do more to prevent inexcusable security breaches.  Too often, we see personal information compromised because a company has failed to implement elementary security measures such as using encryption on laptops.”  Jennifer Stoddart, Canada’s Privacy Commissioner in her 2007 report to Parliament.


Security and Secrecy Quotes

On security:

Security is, I would say, our top priority because for all the exciting things you will be able to do with computers – organizing your lives, staying in touch with people, being creative – if we don’t solve these security problems, then people will hold back.Bill Gates.  Factoid: Gates and his teenage classmates were banned from using a PDP-10 timeshare computer after the operator of the system caught them exploiting flaws in the operating system to gain extra computer time…

On viruses:

“I think computer viruses should count as life. I think it says something about human nature that the only form of life we have created so far is purely destructive. We’ve created life in our own image.” Stephen Hawking.

On secrecy:

“The very word ‘secrecy’ is repugnant in a free and open society; and we are as a people inherently and historically opposed to secret societies, to secret oaths, and to secret proceedings.”John F. Kennedy, 35th US President.  Interesting that JFK’s administration was involved in a CIA overthrow of Iraq.

Privacy Quotes

On privacy:

“You have no privacy, get over it.” Sun Microsystems Chairman and CEO Scott McNealy

On privacy policy and legislation:

“We need a privacy policy for the modern economy, including information collected on the Internet and offline, as well as across industries.” Barak Obama, US Democratic Party Candidate

And on our personal need for privacy:

“The personal life of every individual is based on secrecy, and perhaps it is partly for that reason that civilized man is so nervously anxious that personal privacy should be respected”Anton Chekhov, Russian writer