Dave Kearns just commented on a Facebook photo of me at Richfield (Idaho) High School graduation, asking, “were we ever that young?”.

Great question, Dave.  It is hard to believe, but yes, over 40 years ago, when the photo of that skinny, dark-haired earlier me was taken, I was young.

That made me think of a theory I have about the relativity of time.  Do you remember when you were 5 years old?   Back then, I measured years from Christmas to Christmas.  It seemed that it took forever for another Christmas to come around.

But when I was 5 years old, a full twenty percent of my life had to pass before another Christmas would come.  Relative to my life experience, it did take a long time.

Now, however, only 1.7% of my life passes between Christmases. (You can figure out the math). And every year, the percentage becomes smaller.  If I live long enough, the time between Christmases will approach zero.

In the mean time, I can be thankful for the fact that I really once was that young, and can revel in the current reality that my youngest daughter is now a senior in high school, having experiences akin to what I had 40 years ago, and that my grandchildren are also learning to spread their wings and fly!

I recently participated in an Identity and Access Management architecture session where I was asked a direct question, “Do you consider user attributes not stored in the main directory a part of user Identity?”  When I said yes, a few people seemed somewhat perplexed.  Please let me explain my point of view.

I think there is a propensity to think that “Identity attributes”  are strictly limited to those stored in a directory user object.  That focus is too narrow.  While it may be that the “Identity Management System” only knows about those attributes, the sum total of real Identity information can be much broader.  This broader view of Identity is essential if we hope to leverage Identity Management to enable innovative business models.

For example, if I am an online vendor hoping to leverage user Identities to provide a highly personalized user experience for my customers, I must not rely only on the user object in the authentication directory.  A more rich set of Identity data comprising history, preferences and real-time context must be considered. This information may reside in multiple repositories.

Just my thoughts.  What do you think?

Having a deep fascination with The Internet of Things, I thoroughly enjoyed reading Phil Windley’s recent post, “Personal Event Networks: Building the Internet of Things,” and Drummond Reed’s commentary, “Phil Windley on Personal Event Networks.”

Phil concludes in his post, “An Internet of Things—social products and services—will have as profound an effect on our lives as the changes of the preceding 15 years. I believe that personalized event-driven programming models are a key part of the architecture that makes them real.”

In his post, Drummond states, “Many things become possible if your personal network of devices, products, and services can safely talk to each other in ways they can all understand. That’s what Phil is promoting through a simple event interface.”

It occurred to me that Identity is a key enabler – the Identities of People meeting the Identities of Things.  What transpires will be meaningful relationships between people and the things which provide services to them.  I like to think I already have meaningful relationships with things like my refrigerator and my car (I’m weird that way), but think such relationships can be significantly enhanced as the Internet of Things evolves.

I applaud the pioneering work of Drummond and Phil and others like them, who are working to bring about meaningful reality to these fascinating concepts.

What are the most frequent requests I hear from Identity and Access Management customers?  “How can I use this stuff most effectively?”  “What are the best practices?”

Features and functions, speeds and feeds are not front and center in the dialog.  The main topic of conversation tends to revolve around the best practices for using IAM to business advantage.  What have we collectively learned that will make success easier to achieve and more predictable?

In the maturing IAM industry, we have made great strides in learning how to install and configure IAM technology.  Many companies have learned how to derive business value from IAM.  Unfortunately, we haven’t done a good job of consistently documenting and sharing the experiences we have all gained in making it all really work. We have not consistently distilled experience gained into prescriptive recipes for success.  Customer success stories provide good anecdotal evidence, but fall short of being prescriptions for success.  We have precious few white papers that focus on how to make things work, rather than on extolling features and functions.

It would be an interesting exercise to interview a wide range of companies that have implemented IAM, derive from that body of collective knowledge what really works and what doesn’t, and present that information in a set of best practices that can help others succeed.  Book idea? We’ll see.

You have heard of the Last Lecture. What would be your final tweet?

What did you lose, Ziggy?  Sometimes, I think I am losing my mind.

By the way, did you know that Dictionary.com defines “cyberspace” as “the realm of electronic communication?”  Such a mundane definition for such an intriguing subject!

This afternoon, I received word that Veriphyr, a provider of SaaS Identity and Access Intelligence services, announced the results of new survey on Protected Health Information (PHI) privacy breaches. According to the report,

More than 70 percent of the organizations in the study have suffered one or more breaches of PHI within the last 12 months. …

Insiders were responsible for the majority of breaches, with 35 percent snooping into medical records of fellow employees and 27 percent accessing records of friends and relatives.

Some interesting statistics:

Top breaches in the past 12 months by type:

• Snooping into medical records of fellow employees (35%)
• Snooping into records of friends and relatives (27%)
• Loss /theft of physical records (25%)
• Loss/theft of equipment holding PHI (20%)

When a breach occurred, it was detected in:

• One to three days (30%)
• One week (12%)
• Two to four weeks (17%)

Once a breach was detected, it was resolved in:

• One to three days (16%)
• One week (18%)
• Two to Four weeks (25%)

79% of respondents were “somewhat concerned” or “very concerned” that their existing controls do not enable timely detection of breaches of PHI

52% stated they did not have adequate tools for monitoring inappropriate access to PHI

The report’s conclusion was not surprising:

Respondents who indicated strong satisfaction with their monitoring tools also tended to report fewer breaches of PHI and faster resolution times. The reverse is also true: respondents who indicated dissatisfaction with their monitoring tools tended to report more breaches and longer resolution times.

In an Oracle webcast on September 20th, Scott Bonnell, Sr. Director of Product Management, Oracle, and Naresh Persaud, Director of Product Marketing, Oracle, will explore how the Oracle identity platform can mobilize stalled deployments, allowing customers to accelerate identity projects.

This complimentary Webcast will show how the Oracle identity platform can:

1. Mobilize and complete your identity management project
2. Coexist with or replace your existing identity management point solution
3. Reduce security risk and improve regulatory compliance

A couple of weeks ago, I blogged about a new Aberdeen Research Brief, “Identity and Access Management – Platform vs. Point Solution.” On September 15th, you can attend a webcast where Derek Brink, Vice President and Research Fellow, Aberdeen Group and Naresh Persaud, Director of Product Marketing, Oracle, will analyze the results of the Aberdeen study and explore how a platform approach can reduce the administrative cost, improve security and reduce audit exposure.

The webcast will show how :

Achieving a successful Identity Management program means integrating tools for administration, governance, sign-on, web-access control and authentication. Choosing an integrated suite or “platform” of solutions from a single vendor can have many advantages over choosing “point solutions” from multiple vendors.

You can register for the event here.

On September 22nd, I will give two presentations at the Oracle Security Solutions Forum held at the W Hotel in Scottsdale, Arizona:

• Identity Management 11g: A Giant Leap in Identity Management
• Addressing Access Governance with Oracle Identity Analytics 11g

If you plan to be in Arizona on the 22nd, please drop by and join us!