Back in November 2009, I wrote a post entitled, Best Practices for the IAM/Compliance Journey that outlined 13 recommended practices to improve the probability of success in implementing IAM systems.  One of the recommended practices was “Establish a Governance Process”:

Compliance efforts affect a broad spectrum of an enterprise. Stakeholders from many organizations, often with conflicting priorities, have vested interests in the outcomes of a compliance strategy. The governance process must provide representation from the impacted functional areas of the organization. A governance board should have appropriate representation from IT, security, audit, application owners, human resources, business process owners and applicable business associates. The board should be accountable for the project objectives and be vested with authority to make program decisions. The board should be empowered to 1) establish a statement of purpose for the program, 2) promote and give visibility to the program throughout the larger organization, 3) act as a mechanism for quickly making decisions regarding program scope, issues, and risks, and 4) monitor the program health on an ongoing basis.

This recommendation certainly still holds true.  It refers to the type of Strategic Governance that should be an integral part of a company’s IAM strategy, ensuring that IAM technology is aligned with and supports a company’s business objectives and strategy.

However, in the past few months in my work with Oracle, I have begun to crystalize my thoughts about a more tactical kind of governance, which I call IAM Project Governance.  This process is focused on how to make sure a specific project within the IAM journey stays on track and meets specific tactical objectives under the umbrella of the company’s IAM strategy.

IAM Project Governance is based on four distinct, but interrelated principles in a spirit of Cooperative Execution:

Alignment

The three major participants in an implementation process – Customer, Software Vendor and Systems Integration Partner – must be aligned in project objectives,  understanding of the project plan and the project schedule.  This alignment must include executive sponsors, director and management levels, and project levels from all three parties.

Commitment

The three major participants must be uniformly committed to the project success, and be willing to work together to make it so.  This is real commitment, of focused attention, time, effort and resources that will lead to mutual success.

Communication

Communication must be regular, articulate, candid and open.  A regular cadence of interaction at all levels of the project leadership, from executives down throughout day-to-day project team members, must be organized executed.  It is this type of regular communication that can nip problems in the bud by giving proper attention and allocating appropriate resources before problems fester and grow out of control.

Consistency

Implementing an IAM system takes focus, hardware and consistent effort.  The mechanisms for ensuring a successful project must be consistent and thorough.  Don’t let up or get com placement.  Hold each other accountable for commitments and assigned responsibilities.  

Time and time again, we have seen how these principles, if followed, can lead to success.  Yet all too often, we also see where companies try to take shortcuts in the name of tactical expediency, and fall short in their expectations for project success.

I’ll discuss more on this topic in the near future. Stay tuned.  In the mean time, Cooperatively Execute!

This blog is, if anything, a place of personal experimentation.  Tonight I finally signed up to create a paper.li newsletter, named, you guessed it,  Discovering Identity. Yeah, I know there are already several such newsletters serving the Identity community.  The big question I have, is “How will the paper.li algorithms select articles from sources I specify any differently than for others similar papers?”  

It will be interesting to experience with sources and priorities to see if I can forge something worthwhile.

In the Oracle Information InDepth newsletter I just received, a new white paper, “Privacy and Security by Design: A Convergence of Paradigms,” was announced. The paper is a collaboration of Ann Cavoukian, Ph.D., Information and Privacy Commissioner, Ontario, Canada, and Marc Chanliau, Director, Product Management, Oracle Corporation.

The forward by Ms. Cavoukian includes this statement:

My hope is that privacy and security – by design, will continue to evolve into an essential component of information technologies and operational practices of organizations, as well as becoming an integral part of entire systems of data governance and privacy protection.

The paper further explains the value of these converging topics:

This paper highlights the convergence of these two paradigms. In the first part, the concept of security by design as understood in the technical community is introduced. In the second, the concept of Privacy by Design (PbD) as understood in the privacy community is discussed. The third and final part explores how these two concepts share notable similarities and how they may complement and mutually reinforce each other.

The paper provides a good overview of Security by Design …

… we address three aspects of security by design: i) software security assurance (designing software systems that are secure from the ground up and minimizing the impact of system breach when a security vulnerability is discovered) ; ii) preserving privacy in the enterprise environment and; iii) ensuring identity across heterogeneous vendors.

… and Privacy by Design.

Privacy by Design … is aimed at preventing privacy violations from arising in the first place. PbD is based on seven (7) Foundational Principles. It emphasizes respect for user privacy and the need to embed privacy as a default condition. It also preserves a commitment to functionality in a doubly-enabling ‘win-win, ’ or positive-sum strategy. This approach transforms consumer privacy issues from a pure policy or compliance issue into a business imperative.

The paper concludes:

It is becoming widely recognized that privacy and security must both be embedded, by default, into the architecture, design and construction of information processes. This is a central motivation for PbD, which is aimed at reducing the risk of a privacy harm from arising in the first place. By taking a proactive approach, it is possible to demonstrate that it is indeed possible (and far more desirable) to have privacy and security! Why settle for one when you can have both?

I found the paper to be thoughtful and timely. By coincidence, this morning I committed to an event next week where I will meet Ms. Cavoukian. I look forward to it!

This evening, I stepped through the process of having my identity verified by miiCard. The process of establishing an account, verifying my identity, linking to my online accounts and posting a badge on my blog took about 30 minutes. Not too bad. You can click on my badge on the right to check the extent of my verification.

It will be interesting to learn how I can leverage this in the future.

Combining my thoughts about my SquareTag Blogtagging experiment and Identity Relationship Diagrams, I created the following diagram, which illustrates my understanding of how the SquareTag system works:

 

The basic Identities and Relationships are:

1. I am a person.  It starts with me.
2. I own a Thing – this blog. It belongs to me.
3. I control my Personal Cloud, which is a service hosted by SquareTag.  It responds to my inputs and sends me messages.
4. The Personal Cloud contains a SqareTag code for my blog.
5. A person named John visits my blog and scans the SquareTag – a very temporary relationship.
6. The action of scanning connects John to my personal cloud and is prompted to send a message to me.
7. The Personal Cloud sends a message to me via SMS – including the GPS coordinates of where the scan was made and a text message, which includes John’s Twitter handle.
8. I post a message to John on Twitter – another service to which I subscribe.
9. John receives my message in the Tweet stream and responds to me.

As I made this diagram, I become aware of a few things I need to refine in the Identity Relationship model.

The graph edges (arrows) are relationships, but I think I have labelled some of them as data flows, rather than relationships.  I need to come up with a way to differentiate between the relationship and information or messages that are exchanged because of the relationship.

How should fairly static relationship (like blog ownership) be differentiated from transitory relationships (e.g. visiting a blog, scanning a SquareTag)?

Should a Personal Cloud be divided into a Subject and a Service?  Johannes Ernst’s recent post would perhaps infer that.  Perhaps the Subject is “what it is” or “what is does”; the Service is “how I access and control it.” 

The diagramming software I use, Graphvis, has some decided advantages and disadvantages.  Because it is data driven, I don’t have to keep re-drawing the diagram by hand.  However, I don’t have much control over the esthetics of the diagram.

If anyone has any feedback, I’d be happy to hear it.

 

Last Saturday, as my previous post described, I launched a little experiment by SquareTagging my blog. I had to make a few adjustments as I received some responses back from the kind folks who participated in the experiment.  Thanks to Phil Windley who was very helpful in answering questions and connecting me with a couple of the Kynetx developers.

It was fun to get responses from five states (Arizona, California, Idaho, Nebraska and Utah). Thanks to all of you who scanned or clicked on the SquareTag.

I have begun to formulate in my mind a blog post or two about personal clouds, based on this experiment.  Please stay tuned for more

If you haven’t done so, could you please scan or click on the SquareTag in this post or in the header of the blog?  I’d really appreciate it.

Thanks,

Mark

I received my first order of SquareTag labels this week and tagged the normal things – iPad, briefcase, etc. It was fun to see that when a tag was scanned, the SquareTag “SafeAndMine” system sent me a geotagged message indicating where the scan had taken place.

In the wee hours of this morning, during a bout of insomnia, I had a brainstorm – why not SquareTag my blog? So, here it is. Please scan the SquareTag label, in this post or in the blog header, and send me a short message. It would be great to see who tagged me and where you are located. I’ll report back with the results.

One caveat … when you scan my tag, you will get a message from SquareTag saying, “You’ve found my Other.” The good folks at Kynetx didn’t anticipate this little experiment, so my blog is, at least for now, an “Other”.

Thanks – and good tagging!

Oracle recently released a white paper entitled, “Oracle Access Manager Mobile and Social, A Case Study – Piggy Bank.”  This white paper outlines the use of the Mobile and Social component of the Oracle Access Management platform.  Mobile and Social provides a simple means to integrate Mobile applications with the security capabilities provided by Oracle’s Identity and Access Management platform.

The white paper:

discusses the effort involved in executing a Proof of Concept with a major international bank. While the PoC exercise was real and the requirements described in this paper implemented, certain details have been changed to protect the identity of the bank and its security architecture and simplified for those new to OAM Mobile and Social.

The Proof of Concept detailed in this white paper involved three main tasks:

1. creating a simple electronic banking application
2. the REST/JSON services for the application
3. securing the application and services with the Oracle IAM technology stack.

The “Piggy Bank” represents the bank for which the Proof of Concept was completed.  The basic PoC architecture is shown below:

 

The white paper does a good job of outlining just what is necessary to configure the components in this architecture.

The white paper concludes:

While the PiggyBank application is quite simple, it illustrates the power and capabilities of the Oracle Identity and Access Management platform including Oracle Access Manager, Oracle Adaptive Access Manager and some of the Mobile and Social Services. By using the OAM Mobile and Social SDK a fully functional mobile e-Banking application was created and secured in a very short time, without the need to install and configure any additional software and without the need to write complex code to secure the mobile App and its communication to the services it uses. 

A customer with an existing security infrastructure based on Oracle Access Manager and Adaptive Access Manager can easily deploy Oracle Mobile and Social to extend the same security capabilities to mobile applications. By using the Mobile and Social SDK customers can seamlessly integrate security into their native Apps on popular mobile platforms including iOS and Android.

The need for secure mobile access is already huge and growing rapidly.   The Oracle Mobile and Social product goes a long way towards meeting that demand.

 

 

Last Week, on Thursday, March 7th, the second @OracleIDM Tweet Chat (AKA Tweet Jam) was held. It was great to participate with many others on this lively and informative chat. The Chat Archive for #MobileIDM has been posted here for review.

A recent Wall Street Journal article, “When ‘Likes’ Can Shed Light,” stated:

Patterns of “Likes” posted by people on Facebook can unintentionally expose their political and religious views, drug use, divorce and sexual orientation …

My first response was, “Duh, of course!”  But I think the implications are much deeper.  A wide range of disparate conditions can be linked together to imply seemingly distant results.  For example:

“Likes” for Austin, Texas; “Big Momma” movies; and the statement “Relationships Should Be Between Two People Not the Whole Universe” were among a set of 10 choices that, combined, predicted drug use. 

“Likes” for swimming, chocolate-chip cookie-dough ice cream and “Sliding On Floors with Your Socks On” were part of a pattern predicting that a person didn’t use drugs.

… arises from an emerging discipline in which experts sift through extremely large digital data sets, such as collections of web searches or Twitter messages, for subtle patterns and relationships.