Identity and Leadership: Sorely Lacking the Latter

Blogger: Kevin Kampman

Last weekend, my wife and I conducted a whirlwind friends and family tour of western Washington State. Starting Friday morning in Seattle, we drove to Marrowstone Island, then to Glacier via Port Townsend, Deception Pass, and Bellingham.  Saturday we drove to the top of Mt. Baker, then back to Tukwila. Sunday, we were off to Carnation (just east of Redmond) to visit a horse we helped the Cowgirl Spirit Rescue Drill Team save from slaughter. We met with Juliane and JJ, and turned out Bazkheno DaVinci (you thought only people had naming issues) onto a 20 acre lot with five other rescue horses. It is a sad situation that trained horses like Baz turn up at auction; sadder still that many of them turn up as someone’s dinner.  



Sunday evening we had a fine Italian dinner with my wife’s family in Seattle; no pets were on the menu. I did have a conversation about the IT and business divide with one of my cousins, from a business perspective. More about that, later.

Bazkheno

Bazkheno DaVinci (grey horse at center) and other rescues, Carnation WA



So, where am I going with this? Burton Group has been following identity, privacy, and electronic health records (EHR) for some time. In particular, the issues around liability and the potential for damages that could occur if patient records aren’t properly managed and protected. There are a variety of solutions coming to market to capture and maintain EHRs; some employers are mandating the use of these services. Microsoft and Google are making significant strides in this area, and Microsoft just made a significant acquisition of Sentillion that bolsters its health care portfolio. Even the government is in the act, providing substantial stimulus money for health records automation.



However, the record on these efforts is not encouraging. In a recent blog: Electronic Health Records: Are They Worth It or Not? by Robert Charette, the author cites research that indicates that while certain efficiencies may be realized by implementing EHR, larger concerns are surfacing about data mining of these records, primarily to benefit insurance and government  entities. The blog goes on to state that EHRs may have little or no impact on the quality of or reducing the cost of health care.  And, the risk remains that this information will be used for purposes other than originally intended. With the large government investment being made to implement these systems, the possibility exists that the investors, managers, and the government will ride roughshod over patient privacy unless powerful oversight over this information is established.



At dinner Sunday evening, we discussed an IT project that is being rolled out to meet an arbitrary schedule. This is in spite of misgivings on the part of business representatives about project preparedness and the potential impact of failure. The point was made that while the project had known issues, there was no one influential or powerful enough to stand up and question the current state of the effort. No one wants to take the fall. The horse is ready to run, so to speak, if only on three legs.  



As part of our current research on governance, we are learning that strategic, shared perspectives about business value and risk throughout projects, programs, enterprises, and communities is frequently lacking. For a business, this is regrettable. When there are life-affecting issues at stake, this is clearly unacceptable. In these situations, governance may not be enough. Leadership skills, advocacy, and authority for those least able to protect themselves are critical. Whether it’s a new financial or patient records system, nothing less is acceptable. Once the horse (or EHR, or any other personally identifiable information) is out the gate, there is little likelihood of bringing it back.

The Identity Services Work Group: Coming of Age

Blogger: Kevin Kampman

The Identity Services Work Group (ISWG) has been successful identifying issues and approaches for identity management technology interoperability. This ad-hoc effort has been going on for several years and represents an international community of enterprise users and vendors. As an example of its activities, the ISWG produced an architecture and initial use case for authorization. Burton Group has published two documents summarizing these efforts (subscription required): The Challenge of Identity Services, and Identity Services Architecture: Working Toward Consensus.



In 2009, the ISWG participants recognized the need to formalize their activities. After surveying related groups and a discussion of options at Burton Group’s Catalyst conference, the decision was made to approach the Kantara Initiative. Gavin Illingworth (Bank of Montreal) led this effort, assisted by Jeff Broberg (CA) and John Tolbert (Boeing).



On December 2nd, the formation of the Identity and Access Services Work Group (IAS-WG) was voted on and approved. Among the benefits to the former ISWG and to the Kantara Initiative are alignment with and influence over related identity efforts, access to a broader and more global constituency, an open discussion of challenges and solutions, and facilitation of group activities.



The unique interaction between enterprise customers and product vendors at the ISWG was productive, and it is gratifying to see the effort move forward based on its initial success. Former ISWG participants and new members are welcome to participate, and can contact Gavin (gavin.illingworth@bmo.com) or the Kantara Initiative for more information.

Why seeing your social activities again seems so uncomfortable?

Blogger: Ian Glazer

Continuing Burton Group’s work of social networking and social media, I've been having various forms of this conversation over the last few weeks. First, I was at TechAmerica talking about social networks, privacy, and data breaches. Although the audio isn't great, you can get the gist from this video. Then I was talking to the guys from InfoChimps ahead of their debut of some huge Twitter datasets. (The potential for data they have is pretty breath-taking.)  Meanwhile, I am prep'ing a more formalized version of this talk for an upcoming OWASP event. With all this activity I thought I'd share a part of it.



On the whole, people have no problem using social networking tools. Whether for personal or for work reasons more and more people are using a variety of tools to share and connect. And in this regard, we can think of social tools as engines for disclosure. Although people are relatively comfortable making disclosures such as "had a great meal in Ottawa" or "have to burn the midnight oil to get this blog post done," people feel uncomfortable when these disclosures appear in other places. This feeling is akin to reaching into your computer bag and finding a long lost banana: a little foreign, a little gross, and a little strange. People often want to keep their social structures separates and, using a highly technical word, people feel oogy when they discover that something they have disclosed (an activity, a group they may have joined, a relationship they formed, a trip they have taken, etc) is known by other people in other networks.



There are three axes to this problem:

* Audience

* Content

* Time



Oogy factor #1 - Audience - People often underestimate the size of the audience to whom their are disclosing information. What they think they are sharing with their team at work, is in fact shared with the enterprise. Furthermore, there are cases where the true size of the audience is not known because linkages between different social networking sites and the social graphs defined therein.



Oogy factor #2 -Content - Some disclosures are not obviously under people's control. It's obvious when I update my status in Yammer. It isn't so obvious when I join a group and that fact appears in my work activity stream.  This is unsettling as information is being disclosed about me and yet I didn't actively disclose that information. (I fell prey to this one... ask me sometime - funny story.)



Oogy factor #3 - Time - Closely tied to Content, people don't necessarily have control of when things are disclosed about them. Where social tools are reporting on activity, it isn't entirely obvious how a person controls such disclosures and when they happen.



People build mental models for their believed behavior of social tools along these three axis. If any one axis is shifted and the tool behave in a manner contrary to those mental models people feel uncomfortable. Although people are just establishing a comfort level with social tools from a consumer perspective, the enterprise is just taking its first teetering steps with social tools. There is definitely enterprise-grade ooginess ahead as enterprise grapples with the data breach and privacy implications of these tools. To that end, social tools have to provide meaningful ways for people, in the consumer setting, to adjust tool-behavior to meet their own mental models, and enterprises to accommodate wider regulatory and data protection concerns.

 

I'm going to be giving a longer version of this as a presentation to an OWASP and Tivoli users group meeting in December. If you are in the Hartford area, join us. You can register here

Hopes and concerns for identity

Blogger: Ian Glazer

A friend in the industry recently asked me for my thoughts on OpenID, InfoCards, and the US federal government's work to consume non-government issued credentials. Letting the question rattle around in my head for a while, here's what I've got so far.



My hope is that the overall ICAM initiative is successful—not because I have been eagerly waiting to interact with the federal government using some form of authenticated credential—but because we (citizens, enterprises and government) are at a pivotal moment in the history of the web. With the US government working with both the OpenID and InfoCard Foundations, there exists an opportunity to change how individuals interact with large organizations, both public and private. For the first time, individuals would be able to (even encouraged to) interact with a large organization (such as the US federal government) using an identity asserted, not by the large organization, but by the individual. In this case, the State is no longer the sole provider of identity. This breaks the monopoly that the State has had on credentials and is indicative of the future to come.



But there is a long road to walk before getting there. There are numerous concerns with these plans. Among these are notable security concerns, especially with OpenID, that the identity community is not blind to. These are not my primary concerns.



My primary concern is with the establishment of standard user behavior that could prolong existing problems. Today, after decades of enterprise training and a decade of consumer training, people naturally expect to see two text boxes on web sites. One is for their username and the one with the little stars is for their password. This behavior is ingrained. Changing this behavior is no small feat - just ask the OpenID and InfoCard groups. But it is a change that must occur to normalize people using something stronger than username and passwords to authenticate themselves.



My concern is that the behavior that is being established as a norm - the use of either an identity selector or some other user interface means - will become the username/password for the next generation. This isn't a hypothetical problem; the writing is already on the wall. Currently, OpenID will only be accepted for low-value transactions with the government known as Level of Assurance 1 (LOA1). Activities like filing tax returns requires a far greater assurance that the person is who they claim to be and thus require a Level of Assurance 3 identifier. And there is problem. The way people use an LOA3 credential may be very different than how they do so with an LOA1 credential.



If we, as an industry, normalize user behavior that meets LOA1 needs but not LOA3, we are training in behavior that has to get untrained in a near future. What the government and its partners are on the path to doing is effecting real cultural change. This kind of change doesn't happen often and is hard to do, and especially hard to undo.



I definitely want a future in which I can assert my own identity without validation from the State, but I am very willing to wait for that future to assure that the behavior the industry normalizes is one that will work for generations to come.

Remembering Don Bowen

Don Bowen, our former colleague and dear friend lost his battle with cancer yesterday. Our deepest sympathies go out to Don’s family during this difficult time.

You will never meet a person that was as inspirational as Don. Whether in good times or bad, Don was always upbeat, energetic, and intense. During his illness, we also saw the strength of his faith, which was unwavering. Don has left a huge void in our lives and we will miss him for a long time.

RSA, VeriSign, Cloud, OTPs, and Token Necklaces

Blogger: Mark Diodati

Today, RSA and VeriSign announced a partnership where VeriSign can resell SecurID OTP tokens via its VIP managed authentication service. RSA can also resell the VIP authentication service.



The press release implies that the relationship between RSA and VeriSign has been co-operative and amicable. Don’t be fooled. In early 2005, VeriSign was the primary driver for the OATH industry group, expressly created to take on RSA’s “cash cow”–its SecurID OTP business. Since that time, VeriSign aggressively pursued RSA’s SecurID customers and competes against RSA in the consumer authentication space.



As applications move to the cloud (e.g., SaaS), it is essential that users are not required to carry more than one OTP to access SaaS applications from different providers. This scenario is very similar to what we’ve seen in the enterprise—the “token necklace”. Users carried multiple authenticators around their neck because the authentication domains did not speak to each other.  RSA and VeriSign launched managed authentication services (the aforementioned VIP service and RSA’s Go ID service) which can overcome the token necklace issue by enabling many organizations to leverage a single token for authentication. Now that RSA can resell the VIP service, is this the end (or more likely, the de-emphasis) of RSA’s Go ID service?



This agreement provides VeriSign with some powerful capabilities. The VIP service will now work with both VeriSign (OATH-based) and RSA SecurID tokens. It’s likely that customers can mix and match token types based upon their application support and price requirements. Because VeriSign can bundle SecurID into its managed service, I believe it got the better part of the deal.



RSA derives two benefits from the partnership. Presumably, RSA will sell more SecurID tokens. Also, RSA’s ability to resell the VeriSign managed service gives broader entry into the managed authentication services market and with it the ability to better address the emergence of cloud applications (which enables RSA to sell more tokens).



Over time, the OTP form factor of choice for cloud-based applications will be the software token installed on the user’s mobile phone. We discuss this in our research document “More, More, More: The Challenge of Extended Enterprise Authentication Mobility” (subscription required).