Recent IAM reading…

I didn’t blog or even tweet much over the holidays, but I did manage to catch up on a few good posts and articles while lazing around…

  • The Quest to Replace Passwords — Extensive report on challenges with replacing password (HT@aniltj).  The table on page 11 is worth a good study for anyone interested how various password-less authentication options stack up.
  • Identity Management on a Shoestring — An excellent report on how to implement IAM in an enterprise without spending years/millions.  Uncanny resemblance to work I’ve been involved with in the past several years, i.e. customized implementations that are not constricted by the cost and complexity of COTS solutions.
  • Economic Tussles in Federated Identity Management — Another excellent paper, this time on the economic issues related to Fed ID.  Points out how successful implementations occur when IdPs, SPs and users all receive benefits.
  • OASIS Identity in the Cloud Use Cases — A list of 29 use cases that are a solid reference for future IAM projects that involve cloud services.  (HT to @RBsTweets.)
  • Gov’t of Canada SecureKey page — A summary of SecureKey and the Canadian federal organization and legislation that supports its implementation.  Would be nice to see a link to the PIA…

These should get your new year off to a good start – happy 2013 everyone!


Personal data and a new business model


Instead of thinking of the digital data as something collected by others and somehow used against you, it becomes a mechanism for you to get companies to send you information about things you actually want to buy.

Wordle of, located in the Washington, DC area, have built a personal data service that encourages users to enter personal information into Personal’s cloud-based vault.  The service allows people to organize their data into ‘gems’, then send this information to family, friends and business associates.  Here are some quick-hit videos that explain the company and the concept.

I have direct experience with personal data vaults and, frankly, the uptake on this type of service is currently poor.  It may well be a generational thing, and perhaps time has to pass before enough people will trust a cloud service with their secrets.

But I think that the real obstacle for existing personal vaults may well be the current ‘user pay’ business model.  People don’t see the value in a paid-for personal data service — but could they use a service that allows them to control and sell their own personal data?

Personal’s model anticipates a future where advertisers will seek out personal data from prospects and pay for the information.  Personal is hoping to capitalize on this by becoming the  broker for millions of personal data transactions, and take a percentage of the transaction fees as commissions.  We — as rightful owners of the data — get the rest!

Is this the future of personal data? Are we seeing a move away from intrusive data collection for the service operator’s profit alone (the Google and Facebook models) to a world where we own, control and reap the benefits of our own information?


IAM for the smaller enterprise

My clients find identity solutions to be complex and costly to implement.  For mature and/or large enterprises, these issues are simply a cost of doing business — and compliance or online strategic drivers are usually sufficient to fund and launch an IAM initiative.

For the smaller enterprise there appear to be two paths followed: do nothing or do it poorly.  When done poorly, shoddy IAM implementations  can result in poor credential management, lousy availability and inappropriate access controls.

So how does a smaller company or organization deal with identity properly? How can users be efficiently identified online without building expensive, custom solutions? What service levels and supports are possible for a login service when staff go home at 5pm? How can niche needs like strong authentication be met without excessive server license costs and complex implementations?

Enter the cloud.  Cloud-based IAM service providers are maturing and there are a number of solutions that offer the smaller organization solutions.  For example:

  • Symplified offers a full IAM service that promises plug-and-play integration with surprising depth, including support for mobile devices and apps.
  • PhoneFactor has a slick and secure solution for two-factor authentication that can be licensed on a per-use basis.
  • TransUnion have a robust identity proofing service for the critical process of confirming the identity of an online visitor.

Using one or more of these solutions allows for rapid deployment of IAM for smaller organizations.  The cost savings are considerable and services levels are beyond what most companies could hope to provide on their own.  There still remains integration work — applications need to be ‘plumbed’ to inter-operate with the cloud solutions — but all the heavy-lifting of designing and configuring a solution is eliminated.

The maturation of cloud IAM solutions means an increased number of companies can implement secure and compliant solutions without the long lead-times and high cost of traditional product-based offerings.  In this age of rampant data breaches and increased focus on compliance, this is a welcomed development.


Cloud Computing: Schneier and Ranum weigh in

Unless you’ve been living in a cave over the past six months, you are probably aware that Cloud Computing is Next Big Thing.  Of course, it isn’t new or unique — it is a form of centralized computing and application delivery has existed since the first time-sharing systems emerged in the 60s.

But the big vendors need a story to push their products and services, and Cloud Computing is it for 2009. It isn’t suprising that the information security and privacy protection aspects of cloud computing are starting to get a lot of attention as well.

What are the risks? How secure is my data in the Cloud? What privacy protections can I rely on? Do you really trust your service provider?

Bruce Schneier and Marcus Ranum have a video from their Face-Off series that is well worth viewing for anyone looking to take advantage of Cloud Computing services.

I like Ranum’s emphasis on limited data access and lack of portability. Locking clients into a hosted application and database is going to be a problem when the client wants to use another provider. Just how do you move five years of email from Gmail to your own mail server? Can you quickly extract and replatform your critical sales data from if Salesforce gets bought out by one of your competitors?


PS2009 — Epilogue

The 2009 Privacy and Security Conference is over for another year. As usual I was entreated to some interesting new ideas, issues and solutions.

But this year I’m conscious of the number of times that I left the session with a feeling that the speaker had been cut-off or missed delivering their conclusion. It wasn’t that the presenters were weak (they weren’t) but rather that many sessions ended with unanswered questions.  Such is the state of privacy and security in 2009 I suppose…

A random sampling includes:

  • How will IdM and access be effectively implemented in our hospitals and clinics? The physicians see authentication as an obstacle to delivering health services, yet health delivery organizations must have appropriate controls in place.  The CIO for Vancouver Island Health Authority had the problem well defined but didn’t give us insight as to what solutions she saw as promising.
  • When, if ever, will the US introduce effective Federal privacy legislation?  This conference has a fair number of US-based speakers and each one tells an American story prefaced by ‘up here in Canada, this is less a concern because of your privacy laws’.
  • Can government ever leverage Cloud Computing, or will data control always limit its ability to leverage the Cloud?  Nicholas Carr didn’t answer this question for us, and — given this was a public sector conference — I think most of us are skeptical that the Cloud will ever meet government needs.
  • What is the ‘killer use case’ for user-centric IdM?  Stefan Brands was technically very good in his presentation, but too often user-centric IdM is focused on the model and technology.  We get the technology now — but what are we going to use it for beyond low-value SSO?  (This topic is certainly fodder for future posts on this blog.)

Despite these loose-ends, I enjoyed this conference again this year — it was good to meet new people, kibitz with a few clients and enjoy the spring-like maritime weather.  I’m sure to be back in 2010.


PS2009 — Winn Schwartau

Feb 4th, 9:40am
Live blog post…

Winn Schwartau is the President of Interpact Inc. He explains how easy it is to gather information on an individual; medical, financial and legal information are all available using a range of free and paid Internet services.

Key concerns:
– On the Internet today, there are approx. 500,000 databases containing personal information.
– Virtually no regulation exists to protect privacy especially in the US.
– No-one reads usage agreements that outline what a company can do with our data.
– Privacy rules/laws difficult to set because technology changes so rapidly.
– 75 percent of US residents have had data on them lost or stolen.

He makes a number of interesting points:
– Why can’t we treat our personal details as copyrighted information? Why can’t we own our own names?
– The questions are ethical not legal.
– We need to redefine ‘public domain’ to mean ‘for the public good’.
– We should be able to tell companies that they can only use our information for one transaction (unless we order otherwise).
– We must be able to request and receive all information held on us by companies.
– We must have data error repair rights and, if possible, some recourse for abuse.
– Need leadership and global cooperation to bring about change.

Interesing and thought provoking, more info at


PS2009 — Nicholas Carr

Feb 4th, 8:35am

Nicholas G. Carr, Author

Mr. Carr’s 2003 Harvard Business Review article and follow-on book, Does IT Matter, forced organizations to rethink IT’s role in developing and executing strategy.  His current book is called The Big Switch examines the impact of cloud computing on business, culture and society.  An excerpt:

At a conference in Paris during the summer of 2004, Apple introduced an updated version of its popular iMac computer. Since its debut in 1998, the iMac had always been distinguished by its unusual design, but the new model was particularly striking. It appeared to be nothing more than a flat-panel television, a rectangular screen encased in a thin block of white plastic and mounted on an aluminum pedestal. All the components of the computer itself – the chips, the drives, the cables, the connectors – were hidden behind the screen. The advertising tagline wittily anticipated the response of prospective buyers: “Where did the computer go?”

But the question was more than just a cute promotional pitch. It was, as well, a subtle acknowledgment that our longstanding idea of a computer is obsolete. While most of us continue to depend on personal computers both at home and in the office, we’re using them in a very different way than we used to. Instead of relying on data and software that reside inside our computers, inscribed on our private hard drives, we increasingly tap into data and software that stream through the public Internet. Our PCs are turning into terminals that draw most of their power and usefulness not from what’s inside them but from the network they’re hooked up to – and, in particular, from the other computers that are hooked up to that network.

This talk was an easy way to start the day.  As I was absorbing my first caffeine infusion, it was satisfying to sit back and listen to Carr talk about how the early 20th  industrialists switched from water power to electrical grids in the space of a few decades.  The predominate power generation systems in the 1800s were privately owned water-wheels that drove mechanical factories. All this changed late in the century with the advent of centrally generated electricity. By 1930, 90% of all power generation came from grid utilities.

It is this type of disruptive technology event that Carr links to today’s increasing use of Internet computing resources, aka Cloud Computing.  He makes the point that computers and storage that are privately owned are underutilized and require large labour efforts to maintain. Further, this labour is disproportionately spent on ‘keeping the lights on’ with only 30% of effort dedicated to creating new systems or directly supporting business automation.

Today there is a huge trend towards large-scale server farms that offer high efficiency and low cost.  While this is nothing new — timeshare mainframes were all the rage in the 1970s — there are two significant differences with today’s Cloud Computing infrastructure:

  1. Server virtualization technologies offer enormous scalability and flexibility. Applications that need additional power can have capacity added almost instantly.
  2. Network capacity has finally caught up with computing power.  For many years we have had enormous leaps in processing power that were not matched by increased network bandwidth.  But today, high-bandwidth connections are the norm and we not longer need to be physically close to our computing resources to deliver enterprise applications.

Another important development is that the model is already proven with consumer (think Web 2.0) applications and massively successful business applications like SalesForce.  The more enterprise IT sees these type of deployments, the more likely they will consider Cloud Computing as an option to reduce costs and increase capabilities.

Carr makes the assertion that Cloud Computing is a disruptive technology, and that users of traditional, self-hosted systems will likely be caught by surprise as this trend becomes more prevalent. 

He does recognize that there are some important consequences of Cloud Computing:

  • data is now centralized and connected over the web;
  • information security is more important — mostly because the risks of breach and downtime are increased; and
  • organizations may need to trade privacy (think Gmail) for convenience and low cost operations.

Governments have been slow to make the switch to Cloud Computing, likely for the three reasons highlighted above.  There is a big concern around where data is stored — most Canadian organizations, especially government ones, will not accept personal or confidential information to be stored outside of Canada.  Because Cloud Computing is so virtualized, it is possible that a service provider could not only store the databases in, say, the US, but move them to server facilities in one or more other countries without notice.

His final point was a slide showing a common power outlet surrounded by a large collection of now-common electrical appliances.  Harkening back to his earlier point about electrical grids, Carr illustrates how ubiquitous electrical power spawned a wave of innovation in device design that would take advantage of that utility.  

I think that Carr’s observations are well developed and he’s almost certainly correct is saying that many IT shops will move applications and infrastructure to the Cloud in the future.  I’m less convinced that government bodies will be so enamoured with a technology that has yet to prove it is sufficiently secure, privacy-conscious or reliable as those system they operate today.

One thing is certain: the next few years of the disruptive technology that is Cloud Computing will be interesting to experience.


PS2009 — Stefan Brands, Microsoft

Feb 3rd, 3:10pm

Dr. Stefan Brands was in town this week so even though he wasn’t on the original program, the organizers decided to add Microsoft’s newest addition to the conference.  Brands is now an Principal Architect in the Identity and Security Division.  

The first part of the presentation was standard Identity 2.0 stuff. A User accesses a Service Provider (SP), who in turn asks for one or more claims. User then authenticates to an Identity Provider (IdP) to get required claims.  Claims are passed by user to Service Provider.  Access granted.  

Mr. Brands explained how Geneva — a major new release of Microsoft Active Directory Federation Services — fits into each part of the user-centric model:

  • Used by the IdP, Geneva Server will provide claims (including SAML 2.0);
  • CardSpace Geneva will provide user control over distribution of claims by offering an active client; and
  • Geneva Framework will provide tools to applications to accept and process claims.

The interesting part of the presentation was the discussion how U-Prove technology (from Credentica, Brands’ old company) is being incorporated into Geneva to allow for more refined handling of claims by CardSpace users.  As examples:

  • Users can selectively disclose some claims, but not all, to an SP.  If a CardSpace card had six attributes, but the user only needed one to access the services, the user could mask the other five claims.
  • Users can strip down the claims to bare minimum to maximize privacy protection.  For example, if an SP only needed to know that the user was a resident of Quebec, it only would need the first letter of the postal code — “H”.  The user could hide the remaining five characters in the postal code string and only supply the first one to prove residency.

Interesting stuff.

In response to a question, Mr. Brands differentiated federated identity from user-centric by saying that only user-centric identity management is suitable to the large-scale, citizen-oriented systems that government need to deploy. In his view, federation is best suited to enterprise applications and services that are shared between business partners.