links for 2009-08-19
-
Great iPhone app for viewing photos from the web
-
Excellent reference document to give overview of PCI DSS standards and how to comply.
links for 2009-08-18
-
"Not every gadget Apple produces is a golden delicious, some product ideas go over like sour grapes."
-
"One the most important — and most difficult — things to do when you first start using Twitter is to develop a good list of people to follow."
links for 2009-08-15
-
"When you add it all up, the average American spends roughly nine hours a day glued to some kind of screen, and like your diet, quality is as important as quantity. Here are Wired's suggested servings for optimal media health."
links for 2009-08-11
-
Transporting your data is probably the most common use for a USB flash drive. But there’s a world of other things you can do with these handy pocket-size drives. Here are 10 ways you can use that USB flash drive to do more than just move data.
-
The Internet has taken a lot of the paperwork out of banking, but there is no avoiding paper when someone gives you a check. Now one bank wants to let customers deposit checks immediately — through their phones.
Top Ten Catalyst Takeaways
It has been a great few days in San Diego attending the Burton Group Catalyst Conference. It is always refreshing and invigorating to hear what others have to say, both in formal sessions and in ad hoc conversations. I previously posted the key points for the sessions I attended on Day 1, Day 2 and Day 3.
Here is my list of the most important ideas or concepts I gleaned from the conference.
- The biggest challenges facing the Identity Management industry are business issues, rather than technology.
- Much more discussion focused on the process of Identity Management than the tools of Identity Management.
- Discussions about user-centric or user-controlled Identity were focused more on what the practical business models might be, rather than on enabling technology.
- The quest for business efficiency has perhaps overtaken regulatory compliance as the most important driver for Identity Management.
- Role management, while still having challenges, is very much in the mainstream of implementation and use.
- Federation has become a forgone conclusion, rather than a theoretical exercise.
- Entitlement management is gaining traction, but still needs much much work.
- Several Identity Services companies are emerging as recognition is growing that Identity as a service is critical to cloud computing.
- Privacy has emerged as a leading topic in its own right, rather than a subordinate topic within discussions of security and Identity Management.
- The terminology used within the Identity Management market is still not precise, particularly in areas such as role management and entitlements management.
I’d be happy to discuss any or all of these in more detail. Please drop me a line and let’s talk.
Thanks for stopping by.
Technorati Tags: Identity, IdentityManagement, DigitalIdentity, Catalyst09, CatalystConference, BurtonGroup
Catalyst Conference, Day 3 (Friday, July 31)
This morning’s Privacy Track was the most intellectually stimulating set of sessions for me in the Catalyst Conference. The blend of theoretical background and practical application of privacy principles was a good combination. I certainly don’t consider myself a privacy expert, so I learned much and and gained valuable perspective, both the point of view as an Identity Management practitioner and as a person who values personal privacy. Hats off to Burton Group for assembling an excellent set of speakers.
Here are the high points for me:
Privacy: Principles Yield Practice
Bob Blakley (Burton Group)
- Privacy is not about data, it is about people
- Protecting privacy means putting oneself in the place of another and understand the consequences of your actions
- Privacy means different things in different contexts
- Privacy principles:
- accountability
- transparency
- meaningful choice
- minimal collection and disclosure
- constrained use
- data quality and accuracy
- validated access
- security
- Put principles into context – then derive set of rules
- IdM systems have much personal data in them. Are we protecting the dignity of the people I know things about?
Privacy Issues Related to Healthcare and Identity
Speaker: David Miller (Covisint)
- IAM is not a security thing. It is a privacy thing.
- Security is about keeping people out; privacy is about letting the right people in.
- Electronic Medical Records (EMR) are being dictated by legislation, but have challenges to overcome, including:
- authentication
- authorization
- data exists in many places
- patient access to records depends on many factors
- many organizations want access to information
- regulatory issues
- legal/tort issues
- One solution is a central Health Information Exchange (HIE).
- Several different organizations at the national, state and health care organization level approach HIE’s differently.
Privacy – how to have a productive multi-stakeholder discussion
Robin Wilton (Future Identity Ltd.)
- Privacy is usually a multi-stakeholder discussion
- It is difficult for stakeholders to articulate their view of privacy problems in a way that other stakeholders understand
- Use the "Onion Model" to explore and use levels of importance of personal information
- Use the "Ladder Model" to facilitate different viewpoints about privacy
- We are doing all this technical interaction in online networking as if it works the same way as face to face interaction, but it does not.
- "Privacy management" implies being aware of relationships and contexts, and acting accordingly.
- Technology is not an automatic answer to privacy.
A Dual Mission: Identity Management and Privacy Protection in the Federal Government
Bob Mocny, Director, DHS-VISIT Program – Department of Homeland Security
- Identity management is critical to national security
- US VISIT – check credentials for visitors into
- 100 million biometric records used for authentication, 200K transactions/day – largest in the world
- Built privacy into architecture of system
- Secure facilities and networks are in place to protect privacy
- Redress process to correct personal information in the system is essential
- No more important condition between the government and the people it protects than trust
- US VISIT built trust into the biometric system
Joint Q&A
Bob Blakley (Burton Group)
Bob Mocny (Department of Homeland Security)
Robin Wilton (Future Identity Ltd)
David Miller (Covisint)
- Privacy-enhancing governance is difficult (e.g. if you request that your PII be deleted from a list, is your PII still on the audit trail?)
- Much explicit effort and systems are necessary to avoid unitended consequences of amassing large amounts of personal information.
- People who have grown upon in a hyper-connected, pervasive-surveillance world have tend to have different perspectives of privacy than older people for whom personal information was secret by default.
Partnering via Privacy
Ian Glazer (Burton Group)
- Increased regulatory action, higher penalties, more people looking at privacy – all increase the attention companies must focus on privacy.
- Increased reliance on partners requires companies to understand privacy practices of partners.
- Preform Privacy Impact Assessments (PIA) to determine where we are, how we got here, and how changes can impact risks.
- PIA – opportunity to look at mission goals, design goals and privacy principles – are they in alignment?
- Reduce privacy risk by "cleaning your basement"
- Scary basements (something might be illegal)
- Messy basements (policy in place, but not well-applied)
- Procurement process is the best place to ask tough questions about partner privacy practices.
The Watchmen: UCLA & Georgetown Protect and Defend Privacy and Data Security
Heidi Wachs (Georgetown University)
- Although Georgetown University and UCLA have significant differences in size, organization and operational practices for privacy policy, the incident response process is quite similar
- Both suffered significant privacy breaches
- Response depends on what data is actually "acquired" vs. how much was "exposed"
- Privacy breaches triggered much public press and discussion
- New policies implemented quickly as a result of the breach have been difficult to implement
How Google Protects the Privacy of Our Users
Shuman Ghosemajumder (Google)
- Google global design principles: transparency, choice, security.
- End to end security is an essential part of every Google Service.
- Google Latitude: make privacy choices very visible and easily assessible, with opt-out at multiple levels.
- Street view: blur faces and license plates automatically, but allow individuals to request blurring if automated process fails.
- Interest base advertising: give users control over categories and opt out at different levels of granularity.
- Gmail: contextual ads caused concern – because of its proximity to and dependence on personal email.
- Data retention: Google anonymizes IP addresses in logs after 9 months.
- Google chose paradigm of "opt-in after the fact", rather than offering "opt-in beforehand" to not disrupt the user experience or advertising ecosystem.
Technorati Tags: Identity, IdentityManagement, DigitalIdentity, Catalyst09, CatalystConference, BurtonGroup, Privacy
Contrast in Characters – Rapper and Prophet
For a guy whose theatrical credits are limited to an obscure high school play and boy scout skits, this week has been a high point in playing the part of interesting characters.
Last Saturday, I led a Pioneer Day celebration parade dressed as Brigham Young, the Mormon Prophet. Wednesday night, I dressed the part of a 1980’s rapper in the Sun Microsystems Catalyst Conference hospitality suite. Thanks to Ian Glazer for the rapper photo and to my wife Claudia for the photo of Brigham on a horse.
Great times!
Technorati Tags: Catalyst09, CatalystConference, BrighamYoung, SunMicrosystems, PioneerDay
