A few weeks back I had the pleasure of delivering my ideas for the Laws of Relationships. The Laws are meant to be design considerations to everyone building, deploying, or consumer identity relationship management services. The team at ForgeRock, our hosts at the IRM Summit, were kind enough to video the talks. What follows is both a video of my delivery as well as the slides themselves. I am very much interested in getting feedback on this. I want to channel the response into the Kantara Initiative Working Group that is forming around IRM.
Here it is… week 10 of my new job at salesforce.com. Needless to say it has been a bit of a blur. Part of my gig here is to hit the speaking circuit. I was at the European Identity Conference a few weeks ago talking about killing off IAM and how it should be reborn, and next week I am off to the Identity Relationship Management Summit. I have to say, I am little nervous about speaking at IRM this year… not one, but two of my ex-bosses will be speaking there, not to mention my current one. I have to admit when I first heard the noise surrounding Identity Relationship Management, I cringed, especially when people started referring to it as IRM. IRM sounds way too much like DRM to me and that just leads to bad things. Furthermore, my concerns with what Kantara and ForgeRock laid out was that it didn’t necessarily address relationship management; they presented the needs of modern IAM well but didn’t present the needs of relationship well. However, after many conversations and email threads, I still loathe the IRM name but have come around to the larger mission that Kantara has in mind. Simply put, relationship management is the future of identity and access management.
Recently, I was asked to give a talk about privacy challenges of the Internet of Things. In the spirit of my “Killing IAM” talk, I give you “Big P Privacy in the Era of Small Things.”
There’s a little bit of a kerfuffle going on in XACML-land. A non-Gartner analyst made the claim that XACML is dead. Such a claim doesn’t go unnoticed; so Gerry, Anil, Danny, and Remon have all responded that no, XACML isn’t dead. It is not pining for the fjords. It isn’t even zombified.
Anyone can declare a protocol dead. Last year it was SAML. This year, apparently, it’s XACML. Now as someone who killed off the entire IAM industry, I think I’m in a position to comment about this.
I saw my first pair of Google Glass at the IAPP’s Privacy Summit a few weeks back. I can’t say for certain but I’ve got a feeling that the wearer was not only loving the utility his pair of Glass provided but also the circumspect looks shot his way by hundreds of privacy professionals. This got me thinking about how societal privacy issues are born – not just with Google Glass but with any technology. As Glass debuted, people have been raisingmultipleprivacyconcerns including the concern that Glass could send images of people’s faces back to the Googleplex for post-processing such as facial recognition. This concern is rooted in the asymmetric relationship between the people in the line of sight of the Glass wearer, with whom they may not have a relationship, and Google who could collect their image and use it for whatever purpose it sees fit. The random stranger might not have a relationship with the Glass wearer and she most certainly does not have a relationship with Google (or whoever makes the next Glass-like widget) in this context. The concern, I believe, is not just of asymmetric relationships and power imbalances but also one of post-processing. Certainly Google isn’t the first organization to gather data for post-processing. From a privacy perspective, news agencies deploy photographers to gather images of people for their form of post-processing – publishing newspapers. Data brokers have gathered both publically and privately available data for post-processing – selling information about one party to another. Our governments gather huge amounts of public and private data, including CCTV images, for their flavor of post-processing as well. The desire on the part of innovating enterprises is to continue to find ways to post-process information. In fact, this isn’t a desire but a business imperative. And this leaves me with nagging questions:
Having deprovisioned your previous Pope, you thought your work was done. But just as soon as you’ve settled back into you desk chair you see it - white smoke wafting up from the chimney. It’s time to provision a new Pope!
Step 1 – Meet the new Pope
First things first, go meet the new Pope. Invariably new Popes arrive with panoply of devices that they want connect to continue to be able to use, and this one is no different. You and your CISO take an inventory of all the gadgets the new Pope wants to use: iPhone, Android tablet, Xbox, Chromebook, etc. With list in hand, you’ll have to start working with your security and device management peers on a strategy to quickly get those devices working with your infrastructure. (If the new Pope doesn’t get his time playing WoW: Mist of Pandaria, he gets a bit grumpy.)
Recent announcements got me thinking about how to deprovision executives such as a Pope. Never had to deprovision a Pope before? No worries. We’ve come up with a sure-fire 6 step process guaranteed to help you help your Pope incur a separation from payroll.
Step 1 – Listen to HR
In order to kick off the deprovisioning process, ensure that the user provisioning system can, in fact, know that someone has left the organization; the most common way to do that is to “listen” to the HR system. Got that set up? Good. Oh wait, did HR actually submit his status change to ‘Abdicated?’ Does the user provisioning system actually know how to process ‘Abdicated’ status codes instead of ‘Terminated?’ Say a Hail Mary and proceed to Step 2
I gave this talk a few months ago. I had just finished writing our 2013 Identity and Privacy Planning Guide and was trying to think of a different way to express what I had written. What I came up with was this very very different way to express what I had written. I’d love your feedback. Also, no commas were harmed in the filming of this presentation.
Yesterday’s National Strategy for Trusted Identities in Cyberspace event was a bit of a blur. Really good conversations. Lots of new ideas swimming through my head. Here are some of the highlights: New faces from outside theecho chamber First and foremost, there were a lot of new faces and new companies at the NSTIC event. The NSTIC team did an admirable job of getting companies to the table that hadn’t been there before. There were retailers, energy companies, and banks in the room who had never engaged with the identity community before. This is a huge step forward. As I wrote about last week, participation, specifically relying party participation, is critical to the success of NSTIC. As Senator Mikulski said, “The key to a voluntary system is actually having volunteers.” If the event was indication, there is a new wave of volunteers, willing to participate in NSTIC. Business of Identity The bulk of our conversations yesterday were regarding the business impact of better identity practices. Companies pointed to existing inefficiencies that they can remove from their business simply by starting to accept federated credentials. These sorts of scenarios weren’t particularly complex, which is why they have good chance to succeed. They are simple scenarios with real business impact – exactly the kind of thing identity teams need in order to demonstrate value. What was even better was that these simple scenarios were the stepping-stone to more complex, new business opportunities. Remove inefficiencies, then unlock new business, repeat. We’ll be talking more about these opportunities in future blog posts and in our research. Identity Market Opportunities Abound I noted that there is a huge gap between trust frameworks and the application of identity technology. If I was a medium-sized business, I would have no idea how one related to the other. I would have no idea how different identity services inter-relate and how to best deploy them. What is needed are identity service brokers. An IdSB would take your service-level, level of assurance and confidence, and privacy requirements, then match them to an existing trust framework and select and deliver identity services, likely from different providers that meets your requirements. IdSBs do not exist, but they need to. Carrier-grade Identity An attendee asked “what are the attributes of carrier-grade identity providers?” That’s a puzzler. Just having a really big set of identities doesn’t make you a carrier-grade IDP. But what does? A fellow panelist suggested that attack resilience is a key attribute. Resilience is part of the story but not the whole. I’m not entirely sure we, the market, knows what a carrier-grade identity service looks like… I’m not sure they exist yet. We have lots of product, an emerging array of services, but we don’t have an identity dial-tone for the Internet. It will be interesting to see which business emerge as the telcos of identity. Catching-up and going forward This was just a little sample of the conversations we had. I’ve captured the Twitter stream, which you can check out for a little more detail. So what next? NSTIC’s momentum is definitely picking up. If you want to get engaged, come to our Catalyst conference. Jeremy Grant, director of the NSTIC program, will be giving an update. But more importantly, we are hosting a workshop for NSTIC at which you can sit down with the NSTIC team to talk about what the strategy means to your business and industry, and learn how to participate.
Thanks to Joni Brennan of Kantara for snapping this pic
(The following is the statement I’ll deliver today at the National Strategy For Trusted Identities in Cyberspace event at the White House.)
Our way of thinking about identity management is outdated. This outdated thinking poorly reflects the way we interact on Main Street, and it doesn’t fit the needs of people and enterprises trying to interact on the Internet.
On the whole, current thinking regarding identity management is that of the Industrial Era. Enterprises are creating “company towns” for identity. In the Industrial Era, companies, such as Pullman, created towns for their workers to live in, and these towns provided all the services that the employees could use. In today’s identity “company towns,” the enterprise has created your identity, owns your identity, and you cannot use your identity anywhere else – it has no value or meaning outside of “the town.”
