[My address to the European Identity Conference 2016. Although this starts like my TCP/IP Moment talk it goes in a very different direction. In some regards, I think this might be the most important talk I have ever written and delivered. Giving credit where credit is due - the ideas in this piece are the distillation of many many conversations over the years. I am deeply indebted to the following peers for their help, encouragement, ideas, and support: Allan Foster, Robin Wilton, Nat Sakimura, Josh Alexander, Chuck Mortimore, Joni Brennan, and Josh Nanberg.]

[Many thanks to Gerry Gebel for giving me the nucleus for this post] In the midst of the ongoing privacy and security conversation, I pointed out last week that identity is the missing leg of the security/privacy stool. Identity is both a means of expressing privacy requirements and a necessary set of security controls, as well as a key to delighting customers and driving business engagement. A colleague pointed out that while security and privacy might be different halves of the same coin, identity is the coin itself. I’m not sure I fully agree with that but it gets to sentiment I have. The use and protection of identity data has strong footing in both the privacy and security worlds. And yet identity and identity management professionals are not a first class member of the conversation. Why is that? One reason, in my opinion, is because we didn’t expect the industry to stand alone for the duration.

I had the pleasure of representing the Identity Ecosystem Steering Group (IDESG) at the International Association of Privacy Professionals’ Global Privacy Summit this week. Laura Hamady of PayPal, Heidi Wachs of Jenner and Block, and I talked about navigating the maze of online retail. My part in the talk was to illustrate the flow of personal data between the various players in different online retail scenarios. (Here’s a copy of our presentation if you are curious.) Now, as the only non-lawyer in the bunch, and likely the only identity person at the conference, I had a blast pointing out all of the data protection and handling issues that stem from identity interactions. The movement of identity data between social identity providers, your back-office systems, and third-party service providers is a dance of varying elegance. Regardless of how well those pieces are integrated, the information being shared helps your organization delight your customer. But in order to do so, the customer’s privacy needs and expectations must be met. (Not to mention sectoral and legal data protection requirements as well.) And that got me thinking. The relationship/dramatic tension/codependence of privacy and security gets a lot of rightly deserved attention. But neither privacy and security professionals can fully meet these challenges in part because their default tools are the wrong ones for the job. What’s missing from the conversation is identity management. Identity is the missing third leg of the stool. Identity helps mitigate a vast number of security threats including insider threat through the minimization of access. Identity also helps address privacy requirements but governing access control to customer data. In this regard, we can think of identity management as the operational means by which privacy implements some of its required controls. And to be clear I am not saying that identity meets all of the requirements on its own; there are many other privacy controls that require security, and not identity, to meet - traditional data protection and event monitoring being just a couple. By working with identity professionals, privacy teams can better understand the flow of customer data. They can sharpen the focus of their privacy impact assessments and can more easily identify third-parties provide services and whose terms of service need to be harmonized with the organization’s privacy policy and notices. Simply put - an organization that coordinates the efforts of its privacy, security, and identity professionals is more likely to not only meet its customers privacy requirements and most importantly, more likely to delight its customers.

[This is my keynote from Cloud Identity Summit 2015. Unlike most of my talks, this one did not start with a few phrases and then an outline and then a speech and then a deck. This one dropped out of my noggin in basically one whole piece. I wrote this on a flight back home from London based on a conversation with a friend in the industry. Oh, there is no deck. I delivered this as a speech.] [Credit where credit is due: Josh Alexander gave me the idea for the username and password as cigarettes and the sin tax. Last year, Nat Sakimura around 2 in the morning in my basement talked about service providers charging for username and passwords to cover externalities, and I completely forgot about the conversation. Furthermore, at the time, I didn’t fully track with his idea. I totally get it now and want to make sure I assign full and prior art credit to Nat - the smartest guy in identity, sent from the future to save us all.]

Unlike many of my other talks, this one didn’t start are a speech and didn’t start with a few phrases. This talk started as an analyst briefing deck. It had become clear that many of the identity industry analysts, if they covered customer identity at all, did so with a very narrow view of it. I put the progenitor of this deck together so show how broad customer identity is and, more importantly, how amazingly large the opportunity ahead of us is. Speaking season came upon me and I needed something to talk about. I took out all of the Saleforce-specific bits and turned the briefing deck into the keynote below. The gist is simple: customer identity presents the opportunity to grow the business and move identity professionals from being in a cost center to being in a revenue generation center. We, identity professionals, can be business enablers, something we have never been before. But, and this is a big one, customer identity is larger than employee identity and applying enterprise-centric techniques to customer-centric use cases is a major mistake. What follows is my attempt to show big the world of customer identity really is. Customer identity is an amazing opportunity for identity professionals everywhere. Don’t treat your customers like your employees. Start delighting them.

With all due apologies to Monty Python and specifically Eric Idle here’s the identity industry’s version of the Philosophers Song. Many thanks to everyone who helped this effort and huge thanks to Eve Maler for all her work on this. What follows is meant with much love and respect to everyone in the industry (mentioned or not). And with that… maestro please: Jeremy Grant was a real pissant Who was very rarely stable iglazer, iglazer was a boozy beggar who could think you under the table Blakley whom could out-consume Madsen, Bradley, and Dingle Pat Patterson was a beery swine Who was just as schloshed as Cahill There’s nothing Wilton couldn’t teach ya’ Bout the raising of the wrist. Cameron himself was permanently pissed… George Fletcher, still, of his own free will, On half a pint of shandy was particularly ill. Nishant K could stick it away; Half a crate of whiskey every day. Patrick Harding, Patrick Harding was a bugger for white lightning Nash was fond of his dram, Really Dick Hardt was a drunken fart “I drink, therefore I am” Yes, Cameron himself is particularly missed; A lovely little thinker but a bugger when he’s pissed! And if none of that made sense to you, here’s the original which also might not make much sense either.

Here’s my “Do we have a round wheel yet?” talk from the recent IRM Summit in Dublin.

(The basic text to my talk at Defragcon 2014. The slides I used are at the end of this post and if they don’t show up you can get them here.)

What have we done to manage people, their “things,” and how they interact with organizations?

The sad truth that we tried to treat the outside world of our customers and partners, like the inside world of employees. And we’ve done poorly at both. I mean, think about, “Treat your customers like you treat your employees” is rarely a winning strategy. If it was, just imagine the Successories you’d have to buy for your customers… on second thought, don’t do that. We started by storing people as rows in a database. Rows and rows of people. But treating people like just a row in a database is, essentially, sociopathic behavior. It ignores the reality that you, your organization, and the other person, group, or organization are connected. We made every row, every person an island – disconnected from ourselves. What else did we try? In the world of identity and access management we started storing people as nodes in an LDAP tree. We created an artificial hierarchy and stuff people, our customers, into it. Hierarchies and our love for them is the strange lovechild of Confucius and the military industrial complex. Putting people into these false hierarchies doesn’t help us delight our customers. And it doesn’t really help make management tasks any easier. We made every node, every person, an island – disconnected from ourselves. We tried other things realizing that those two left something to be desired. We tried roles. You have this role and we can treat you as such. You have that role and we should treat you like this. But how many people actually do what their job title says? How many people actually meaningful job titles? And whose customers come with job titles? So, needless to say, roles didn’t work as planned in most cases. We knew this wasn’t going to work. We’ve known since 1623. John Donne told us as much. And his words then are more relevant now than he could have possibly imagined then. Apologies to every English teacher I have ever had as I rework Donne’s words:

Dreamforce is simply a force of nature (excuse the pun.) There are more sessions (1,400+) then you could possibly attend even if you clone yourself a few times over. And that’s not even including some amazing keynotes. Needless to say there’s a ton to occupy your time when you come join us.

The Salesforce Identity team has been putting together some awesome sessions. Interested in topics such as single sign-on for mobile applications, stronger authentication, or getting more out of Active Directory? You need to check out our sessions!

The good people over at Ping Identity have posted the videos of the keynotes. So check out my talk on the state of identity standards and whether we have a round wheel yet! (My talk starts around minute 26.)