Social Media Marketing

I’ve just signed up for the Social Media Marketing Bootcamp that is taking place in downtown Edmonton on September 9th.

The idea is to see how my own business marketing stacks up against the best practices that are emerging.  I’m already using the web, which of course includes many things now tagged as ‘social media’, and traditional media for marketing, but perhaps there is a set of practices and techniques that can help my business.

Maybe there is an identity angle to be discovered…

Update: no real identity angles, but a very worthwhile session — I learnt a lot about how to design and implement a social media program.  They are running this again in October but already are nearing capacity, so sign up today if you are interested!


PS2009 — Epilogue

The 2009 Privacy and Security Conference is over for another year. As usual I was entreated to some interesting new ideas, issues and solutions.

But this year I’m conscious of the number of times that I left the session with a feeling that the speaker had been cut-off or missed delivering their conclusion. It wasn’t that the presenters were weak (they weren’t) but rather that many sessions ended with unanswered questions.  Such is the state of privacy and security in 2009 I suppose…

A random sampling includes:

  • How will IdM and access be effectively implemented in our hospitals and clinics? The physicians see authentication as an obstacle to delivering health services, yet health delivery organizations must have appropriate controls in place.  The CIO for Vancouver Island Health Authority had the problem well defined but didn’t give us insight as to what solutions she saw as promising.
  • When, if ever, will the US introduce effective Federal privacy legislation?  This conference has a fair number of US-based speakers and each one tells an American story prefaced by ‘up here in Canada, this is less a concern because of your privacy laws’.
  • Can government ever leverage Cloud Computing, or will data control always limit its ability to leverage the Cloud?  Nicholas Carr didn’t answer this question for us, and — given this was a public sector conference — I think most of us are skeptical that the Cloud will ever meet government needs.
  • What is the ‘killer use case’ for user-centric IdM?  Stefan Brands was technically very good in his presentation, but too often user-centric IdM is focused on the model and technology.  We get the technology now — but what are we going to use it for beyond low-value SSO?  (This topic is certainly fodder for future posts on this blog.)

Despite these loose-ends, I enjoyed this conference again this year — it was good to meet new people, kibitz with a few clients and enjoy the spring-like maritime weather.  I’m sure to be back in 2010.


PS2009 — Winn Schwartau

Feb 4th, 9:40am
Live blog post…

Winn Schwartau is the President of Interpact Inc. He explains how easy it is to gather information on an individual; medical, financial and legal information are all available using a range of free and paid Internet services.

Key concerns:
– On the Internet today, there are approx. 500,000 databases containing personal information.
– Virtually no regulation exists to protect privacy especially in the US.
– No-one reads usage agreements that outline what a company can do with our data.
– Privacy rules/laws difficult to set because technology changes so rapidly.
– 75 percent of US residents have had data on them lost or stolen.

He makes a number of interesting points:
– Why can’t we treat our personal details as copyrighted information? Why can’t we own our own names?
– The questions are ethical not legal.
– We need to redefine ‘public domain’ to mean ‘for the public good’.
– We should be able to tell companies that they can only use our information for one transaction (unless we order otherwise).
– We must be able to request and receive all information held on us by companies.
– We must have data error repair rights and, if possible, some recourse for abuse.
– Need leadership and global cooperation to bring about change.

Interesing and thought provoking, more info at


PS2009 — Nicholas Carr

Feb 4th, 8:35am

Nicholas G. Carr, Author

Mr. Carr’s 2003 Harvard Business Review article and follow-on book, Does IT Matter, forced organizations to rethink IT’s role in developing and executing strategy.  His current book is called The Big Switch examines the impact of cloud computing on business, culture and society.  An excerpt:

At a conference in Paris during the summer of 2004, Apple introduced an updated version of its popular iMac computer. Since its debut in 1998, the iMac had always been distinguished by its unusual design, but the new model was particularly striking. It appeared to be nothing more than a flat-panel television, a rectangular screen encased in a thin block of white plastic and mounted on an aluminum pedestal. All the components of the computer itself – the chips, the drives, the cables, the connectors – were hidden behind the screen. The advertising tagline wittily anticipated the response of prospective buyers: “Where did the computer go?”

But the question was more than just a cute promotional pitch. It was, as well, a subtle acknowledgment that our longstanding idea of a computer is obsolete. While most of us continue to depend on personal computers both at home and in the office, we’re using them in a very different way than we used to. Instead of relying on data and software that reside inside our computers, inscribed on our private hard drives, we increasingly tap into data and software that stream through the public Internet. Our PCs are turning into terminals that draw most of their power and usefulness not from what’s inside them but from the network they’re hooked up to – and, in particular, from the other computers that are hooked up to that network.

This talk was an easy way to start the day.  As I was absorbing my first caffeine infusion, it was satisfying to sit back and listen to Carr talk about how the early 20th  industrialists switched from water power to electrical grids in the space of a few decades.  The predominate power generation systems in the 1800s were privately owned water-wheels that drove mechanical factories. All this changed late in the century with the advent of centrally generated electricity. By 1930, 90% of all power generation came from grid utilities.

It is this type of disruptive technology event that Carr links to today’s increasing use of Internet computing resources, aka Cloud Computing.  He makes the point that computers and storage that are privately owned are underutilized and require large labour efforts to maintain. Further, this labour is disproportionately spent on ‘keeping the lights on’ with only 30% of effort dedicated to creating new systems or directly supporting business automation.

Today there is a huge trend towards large-scale server farms that offer high efficiency and low cost.  While this is nothing new — timeshare mainframes were all the rage in the 1970s — there are two significant differences with today’s Cloud Computing infrastructure:

  1. Server virtualization technologies offer enormous scalability and flexibility. Applications that need additional power can have capacity added almost instantly.
  2. Network capacity has finally caught up with computing power.  For many years we have had enormous leaps in processing power that were not matched by increased network bandwidth.  But today, high-bandwidth connections are the norm and we not longer need to be physically close to our computing resources to deliver enterprise applications.

Another important development is that the model is already proven with consumer (think Web 2.0) applications and massively successful business applications like SalesForce.  The more enterprise IT sees these type of deployments, the more likely they will consider Cloud Computing as an option to reduce costs and increase capabilities.

Carr makes the assertion that Cloud Computing is a disruptive technology, and that users of traditional, self-hosted systems will likely be caught by surprise as this trend becomes more prevalent. 

He does recognize that there are some important consequences of Cloud Computing:

  • data is now centralized and connected over the web;
  • information security is more important — mostly because the risks of breach and downtime are increased; and
  • organizations may need to trade privacy (think Gmail) for convenience and low cost operations.

Governments have been slow to make the switch to Cloud Computing, likely for the three reasons highlighted above.  There is a big concern around where data is stored — most Canadian organizations, especially government ones, will not accept personal or confidential information to be stored outside of Canada.  Because Cloud Computing is so virtualized, it is possible that a service provider could not only store the databases in, say, the US, but move them to server facilities in one or more other countries without notice.

His final point was a slide showing a common power outlet surrounded by a large collection of now-common electrical appliances.  Harkening back to his earlier point about electrical grids, Carr illustrates how ubiquitous electrical power spawned a wave of innovation in device design that would take advantage of that utility.  

I think that Carr’s observations are well developed and he’s almost certainly correct is saying that many IT shops will move applications and infrastructure to the Cloud in the future.  I’m less convinced that government bodies will be so enamoured with a technology that has yet to prove it is sufficiently secure, privacy-conscious or reliable as those system they operate today.

One thing is certain: the next few years of the disruptive technology that is Cloud Computing will be interesting to experience.


PS2009 — Sun Luncheon

Feb 3rd, 12:15pm

Lunch by invitation, and I was fortunate to be invited to dine with Sun:

Warren Strange, Senior Identity Architect
Everyday Identity Federation — Federated Identity Management is no longer science fiction!  In this luncheon we will explore how Federation is being used to solve real business problems. We will present a short case study showing how Sun Microsystems and Hewitt use federation to provide a better user experience. We will also behold the power of the mighty Fedlet!

Warren Strange provided a lunch-time talk on Sun’s OpenSSO identity provider/federation solution.  A key feature of this solution is its ability to rapidly deploy federation to smaller Service Providers (SPs) who may lack extensive infrastructure or expertise.  The product, running as an Identity Provider (IdP), allows the organization to create a small, customized ‘Fedlet’ file that can be easily deployed to provide federation capability to the SP.  While not a fully functional federation solution, the SP will at least be able to accept claims from the IdP without having to execute and manage a complex implementation. 

The second part of the presentation was an illustration of single and transparent sign-on between Sun’s employee portal and Hewitt, their HR partner.  This solution allows easy access to Hewitt by Sun staff over the web, using the same credentials they use to access the employee portal.  

During the project, the main challenges encountered included:

  • provisioning/de-provisioning of user accounts;
  • single logout; and
  • access control and audit logs (for reporting).

Of interest: because Hewitt already had an outsource relationship with Sun, the contractual agreement that was required to establish this federation was minimal.  This is in contrast to many warnings I’ve heard about the legal agreements for federated identity being difficult to negotiate.


PS2009 — Stefan Brands, Microsoft

Feb 3rd, 3:10pm

Dr. Stefan Brands was in town this week so even though he wasn’t on the original program, the organizers decided to add Microsoft’s newest addition to the conference.  Brands is now an Principal Architect in the Identity and Security Division.  

The first part of the presentation was standard Identity 2.0 stuff. A User accesses a Service Provider (SP), who in turn asks for one or more claims. User then authenticates to an Identity Provider (IdP) to get required claims.  Claims are passed by user to Service Provider.  Access granted.  

Mr. Brands explained how Geneva — a major new release of Microsoft Active Directory Federation Services — fits into each part of the user-centric model:

  • Used by the IdP, Geneva Server will provide claims (including SAML 2.0);
  • CardSpace Geneva will provide user control over distribution of claims by offering an active client; and
  • Geneva Framework will provide tools to applications to accept and process claims.

The interesting part of the presentation was the discussion how U-Prove technology (from Credentica, Brands’ old company) is being incorporated into Geneva to allow for more refined handling of claims by CardSpace users.  As examples:

  • Users can selectively disclose some claims, but not all, to an SP.  If a CardSpace card had six attributes, but the user only needed one to access the services, the user could mask the other five claims.
  • Users can strip down the claims to bare minimum to maximize privacy protection.  For example, if an SP only needed to know that the user was a resident of Quebec, it only would need the first letter of the postal code — “H”.  The user could hide the remaining five characters in the postal code string and only supply the first one to prove residency.

Interesting stuff.

In response to a question, Mr. Brands differentiated federated identity from user-centric by saying that only user-centric identity management is suitable to the large-scale, citizen-oriented systems that government need to deploy. In his view, federation is best suited to enterprise applications and services that are shared between business partners.


PS2009 — Justin Somaini, Symantec

Feb 3rd, 1:30pm
Live blog post…

Justin Somaini’s talk was on information security in turbulent times:
– 70 percent of malware is targeting sensitive information
– 10,000 to 20,000 virus signatures created each DAY (up from 1,000 per week only 4 years ago…)

Threats are increasing. With security budgets likely to drop during the recession, can we find other ways to educate and motivate employees and executives?

The image of information security people is negative, making communication difficult.between IT and business. What is needed is a strong 2-way conversation to improve relationships. Mr. Somaini’s experience is that the relationsip is key to gaining trust between the two groups. In Symantec, he has observed a significant increase in the reporting of security incidents immediately after collaborative visits with business users.

The point of the talk is that fear can’t be used to change behavior — information sharing and relationship building are the keys.  Less policing, more discussion…


PS2009 — Telus/Rotman IT Security Study

Feb 3rd, 10:10am
Live blog post…

Alan LeFort from Telus presented on this Canadian IT security practices survey and study:
– 60 percent of Gov’t don’t enforce their security strategy
– 4 percent of Gov’t orgs reported financial data loss
– 1 in 11 have lost confidential data
– private organizations almost 3 times more likely than Gov’t to communicate security issues with stakeholders
– IT security investments directly impact (reduce) security incident reports
– Gov’t strong in network security, weak in application security (e.g. lack of strong authentication)
– breach costs average 23 percent higher in Canada vs US
– private sector paying 35 to 40 percent higher salaries for security staff

The 2009 study will target 800 respondants (up from 306 in ’08). Currently looking for input to survey design — Google ‘Rotman Telus Security Survey’ to find site.


PS2009 — ePETs

Feb 2nd, 1:00pm

I wasn’t too sure where I’d spend the second part of the workshop day, so I wandered into this panel discussion led by Canadian privacy celebrity Ann Cavoukian and MITRE Corporation’s Dr. Stuart Shapiro:

The MITRE Corporation with the Information and Privacy Commissioner’s Office of Ontario

This session is intended to explore the area of ePETs, which are aimed at supporting privacy within large organizations that must appropriately handle and safeguard large amounts of personally identifiable information (PII) throughout the information life cycle. The dominant focus of traditional PET research and development has been tools to enable data subjects to protect their personal privacy, typically by preventing the collection of PII. There is a growing need, though, for tools that can help data stewards responsibly manage the PII in their possession in accordance with Fair Information Practices.

Okay, so lets start with this: ePETS are electronic Privacy Enhancing Technologies.  Most of the technology discussed was a tool from a researcher named Kaled El Emam from the University of Ottawa.  He has developed a set of tools for anonymizing data for research purposes.  This technology has potential to greatly increase the type of information that a hospital or government organization can share with the research community by quantitatively measuring the degree to which the data has been anonymized before it is released.

The panel discussion produced a number of interesting quotes:

  • ‘Don’t let the perfect get in the way of the good’ — Joseph Alhadeff, Oracle Corp.
  • ‘… an Identity Resolution Service is needed’ — Charmaine Lowe, Director at the BC Ministry of Labour and Citizens’ Services, responding to a question related to resolving mis-information in government registries.
  • ‘Federated Privacy Impact Assessment tools are coming’ — Ann Cavoukian, Information and Privacy Commissioner for Ontario.
  • ‘… [government needs to] consider marginalized citizens who cannot produce the required identity proofing documentation when registering for programs and identity management systems’ — attendee from the Insurance Corporation of British Columbia explaining how he sees many cases each year where, for various reasons, people simply do not have the birth certificates, passports, citizenship cards, etc. required for registration

Overall, I thought this was a well-balanced discussion that reflected on how the practical needs of researchers can be met without eroding the privacy protections we expect organizations to provide us.


10th Annual Privacy and Security Conference

I’m back in Victoria, British Columbia this week for what is becoming an annual event for me — the Privacy and Security Conference sponsored by the BC Government.  I like this conference because it has a public-sector flavour to it; the speakers and attendees see the same challenges in their work as I do.

The plan is to produce a post or two each day but we’ll see how it goes…