Vadim Lander, Oracle’s Chief Identity Strategist, recently published a compelling article in Web Security Journal entitled, “Five Steps Toward Achieving Better Compliance with Identity Analytics.”  He observes:

Enterprises are in the unenviable position of committing significant resources to compliance efforts with little assurance that they will prove successful.

Vadim recommends five steps toward more effectively leveraging identity analytics technology to assist enterprises in achieving robust identity compliance and remaining in compliance moving forward:

1. Become risk aware
2. Control privileged access
3. Automate remediation
4. Reduce the potential for audit violations
5. Take a platform approach to identity management

An excerpt from the conclusion:

Automation makes it possible to create sustainable, repeatable audit processes that enable the enterprise to address compliance in an ongoing manner without starting from scratch to address every new regulation or prepare for every audit.

Hope you enjoy the article.

In the book “The Emergence of the Relationship Economy,” Jay Deragon proposes that:

The value of the relationship is categorized into four elements of the individual, and may be of one dimension or a combination.:

1. Economic
2. Intellectual
3. Emotional
4. Spiritual

To understand the juxtaposition of Identity and Relationship, I listed some of my current relationships in the following tables:

 

People Relationships

 

The first table lists a few people relationships I have.  The first, my wife, provides value to me (that sounds kind of crass, actually) in all areas.  Her economic value comes not from revenue (she chose dual careers as  Homemaker and Stay-at-home-Mom), but in her thrift, wise use of money and sound economic advice.  In addition, I deeply value her wisdom, friendship and spirituality.

My relationship with Claudia is in quite stark contrast to my very distant relationship with my employer, Larry Ellison.  Sorry, Larry, I see the value of our relationship as primarily economic, although I must admit receiving a bit of intellectual stimulation from reading about your personal exploits.

On the other hand, my relationship with John, a colleague at Oracle, began as an economic relationship as we worked together in the sales organization, but grew into a deep friendship, with intellectual, emotional and spiritual value.

The final example is Neil, the Bishop of our church congregation and close neighbor.  We have developed a  friendship I value highly, based on strong spiritual, emotional and intellectual relationships.

It could be an interesting experience to assess the value we receive from all of the people with whom we interact in some way, but the real purpose of this post is to explore the value of relationships with information systems.   The following table illustrates a few of the systems with which I interact regularly.

 

System Relationships

 

I definitely have an economic relationship with Oracle Payroll.  Twice every month, a nice paycheck drops into my bank account, and I log onto the payroll system to see how much money I pay in taxes and investments.  While I admit to deriving some emotional satisfaction from that process, we’ll let it remain as an economic value.

In contrast, the different email systems I use can provide value across the board, as I communicate with people on a wide range of subjects.

In social networks, LinkedIn is the vehicle I use to primarily keep track of professional colleagues and associates, although I get emotional value out of maintaining and building friendships with people across miles and time.

Facebook, on the other hand, is where I actively seek to strengthen emotional and spiritual ties with friends and family.

Kindle also sweeps the board – my virtual bookshelf contains titles that provide value in all four areas.

This brings me to a couple of examples of my relationship with “things” that deliver value.  I can monitor and control my new home alarm system from an app on my phone.  The system provides economic protection and emotional peace of mind.

Finally, my remote thermometer satisfies an intellectual curiosity about how hot it is outside, here in the Arizona desert.

It is important to note that how a person uses or views a particular system may influence the value he receives.  For example, I know of people who leverage Facebook primarily for economic advantage.  I just choose not to do that.

 

So What?

How does this relate (pun intended) to Identity?  Here are a few thoughts:

1. Exposed Personae: Certainly different facets of my personal identity are exposed as I interact with different people.  Larry Ellison will never see (even if he cared to) parts of my personality that I have reserved for my closest friends.  My closest friends will never know of parts of myself I share only with my wife.
2. Context: The context of relationships differ, depending on time of day, distance apart, frequency of interaction, mutual interests, etc.  Such differing context has a large impact on the value derived from relationships.
3. Connection method:  How does the relationship connect me with the person or system?  With people, is the relationship primarily in person, by phone, via email, via  a social network or all of these?  Is a digital identity required to enable the relationship?
4. Available functionality: For systems with which I interact, what functionality is available?  What can the system deliver that delivers value to me?
5. Authorized access: Of the sum of all functionality in a system, what am I authorized to use, or what functions do I choose to use?

Focus on Value

Yesterday’s post illustrated a few cases of how relationships can exist between identities and resources or identities and people.  I propose that we should focus not which relationships exist, but on what value can be derived from each relationship.  

In interpersonal relationships, hopefully, value flows to both parties.  In the case of employee relationships with enterprise systems, hopefully value accrues both to the employee and employer.  In the case of individuals connecting to online systems or things, hopefully each person receives value from those relationships.

And Identity is at the core of making these relationships happen.

Stay tuned …

 

 

 

In line with my post yesterday about viewing identities and relationships from the vantage points of “enabling” and “protecting,” I created three diagrams to illustrate how relationships between people and resources or other people provide the opportunity for value creation.

The first diagram illustrates the relationships a person may typically have with information resources within an enterprise.  The objective of these relationships is to connect individual people with the applications or systems that may deliver value, both to the individual and to the enterprise.  Typically, these relationships are granted and governed by the enterprise.

 

 

The second diagram illustrates a person’s connection to items within the emerging Internet of Things.  In some ways, this model is similar to the enterprise model, in that connections are made between people and resources.  However, in this model, individuals typically would initiate and govern their own relationships with things that would deliver value to themselves.

 

 

In the third model, people establish relationships not just with functions or services, but with people, effectively connecting identities together via a social relationship platform.

 

 

In line with my comments yesterday, I propose that in each of these cases, relationships must be established to “enable” people to derive value they seek.  Both Identities and relationships must be “protected” to prevent the wrong people from interfering with a person’s desire to derive value from the relationship, whether it be with a function, service or other person.

That’s all tonight.  More on the morrow.

My thoughts for this post were triggered primarily by two items – me beginning to read “Emergence of the Relationship Economy”  and reading Nishant Kauskik’s tweet Monday:

Is Identity The New Perimeter? – http://t.co/gSQwni5d. Check out the article to see my answer. Hint: It might surprise you. #IAM

I was intrigued by the subsequent conversation:

Ian Glazer:  Good read: http://t.co/gVQHy7MI @NishantK says #IAM is the perimeter. I say relationships are the perimeter. Probably ought to blog this

Dave Kearns:  RT @lpeterman: @iglazer @NishantK Relationships designate the borders of the identity perimeter

Nishant: @iglazer If an account being provisioned to a person is a relationship, if attributes are related to a person, then IAM=Relationship M. So..

Nishant:  @iglazer So…, question is what is the difference between Identity Management and Relationship Management? Where is the separation?

Of course, there were also bits of levity:

Paul Madsen: My take? Circumference is the new perimeter.+

Dave Kearns:  RT @NishantK: @iglazer what is the difference between Identity Management and Relationship Management? Oprah’s name doesn’t come up in IdM

First, I agree that from an information security standpoint, the perimeter has drastically shifted. There is no longer a firm physical or logical perimeter around an enterprise that can be hardened sufficiently to minimize risk to the people and systems inside.

To realize that we must focus on the individual rather than the enterprise boundary as a first line of action and defense certainly seems wise to me.

But what is the correct terminology?  is IAM really Relationship Management?  Is Identity the New Perimeter?  Are Relationships at the real border?

Although I am late to the conversation, here are a few of my thoughts on the subject:

A digital Identity represents a single person or thing in some way.  A digital Identity can certainly include attributes or characteristics that uniquely identify such a person or thing.  A digital Identity surely has value and meaning in and of itself.  However, I believe relationships are what give Identities real substance, particularly as we consider the subject in light of current and emerging business models.

Real-world relationships constitutes linkages between individuals, or between individuals and organizations, or between individuals and things. We may describe digital relationships as the attributes, permissions, entitlements and roles that define how digital identities are linked with organizations, people or things in the overall ecosystem in which the identities reside or participate.

So, is it appropriate to talk about “Identity Management” or “Relationship Management?”  I propose that both are included in the common definition of Identity and Access Management.  Surely, IAM includes managing individual digital identities (e.g.- names, attributes, credentials).  However, IAM also includes the management of relationships – assignment of entitlements to an identity is a good example.

However, I think “management” is the term that is out of whack – not identity or relationship.  Management typically implies one way force, control or direction.  This is the case for traditional IAM – the enterprise creates, owns and governs the identities and associated relationships for all of its users.

On the other hand, in the philosophy behind personal identity management implies that each individual should create, owns and governs his or her own Identity free of coercive control from an enterprise.

I don’t think the boundary is as cut and dried as that.  It is helpful to consider what enterprises really want and what individuals really want.  If we look at the issue that way, I think the verbs “enable” and “protect” are more descriptive than “manage.”

As an individual, I want to participate in systems that “enable” me (as defined by my digital identity) to form relationships that deliver value to me.  I also want systems that “protect” both my identity and the relationships I enter against threats from impostors, thieves and vandals.

On the flip side, I think enterprises seek similar value.  They want to “enable” their users (think digital identities) to establish relationships with systems, people and things that will deliver value to the enterprise.  They also want to “protect” the identities and relationships of their users against threats from bad folk.

The CRM/VRM debate is an example of looking at relationships from different viewpoints.  At one extreme is the enterprise wanting to exert onerous control over all its customers to maximize commerce – hence customer managed by enterprises.  At the other extreme is the enlightened consumer wanting to be free from enterprise tyrany – or vendors managed by consumers.

However, the optimal answer probably somewhere on the scale between the extremes.  In both cases, if we concentrate on what both parties really want, we will progress to a more optimum solution.

If we are to progress toward a highly cooperative ecosystem where multiple  relationships deliver superior value as envisioned by “Emergence of the Relationship Economy,” we must build infrastructure to “enable” and “protect” identities and relationships from multiple points of view.

 

Ironically, a couple of weeks after the @OracleIDM #authchat Tweet Jam about trends in authentication was held, NIST released DRAFT Special Publication 800-63-2, Electronic Authentication Guideline, over 110 pages of scintillating reading on the subject:

This recommendation provides technical guidelines for Federal agencies implementing electronic authentication and is not intended to constrain the development or use of standards outside of this purpose. The recommendation covers remote authentication of users (such as employees, contractors, or private individuals) interacting with government IT systems over open networks. It defines technical requirements for each of four levels of assurance in the areas of identity proofing, registration, tokens, management processes, authentication protocols and related assertions. This publication will supersede NIST Special Publication 800-63-1.

No, I haven’t read the entire report, but I did skip forward to page 102 because the table of contents promised a discussion of “Password Entropy,” and I really like the word “entropy.”  But alas, the most profound thing I read was the obvious: “Empirical and anecdotal data suggest that many users choose very easily guessed passwords, where the system will allow them to do so.”

Enjoy!

This week’s Oracle Information InDepth Security newsletter, “Inside Out Edition,” featured comments from Vadim Lander, Oracle’s chief identity architect on key trends that will shape identity management in 2013 and beyond. The trends he described are:

1. Mobility Is Gaining Momentum
2. Identity Management as a Service Is Emerging
3. A Trend Towards Portable Identity
4. Authentication Services Are Evolving
5. Organizations Continue to Move from Silos to Centralized Systems

I was particularly intrigued by his comments on portable identity:

I expect Oracle customers using Oracle applications via SaaS will increasingly use their Oracle Cloud identity as the identity for a chunk of their user populations, rather than trying to maintain multiple identities in their on-premises system.  Since Oracle is already maintaining a cloud identity for every Oracle Cloud user, that identity is portable as far as the user is concerned. Even if users leave the organization, their Oracle identity can still belong to them as they change jobs. Just as your Google or Facebook identity can provide portability, your Oracle identity may be able to provide the equivalent in a business context.

Oracle as businss IdP?  Intriguing thought.

Last week, I participated in the first IAM Tweet Jam led by Mike Neuenschwander on @OracleIDM to discuss Authentication trends and predictions for 2013.  I really enjoyed the interchange of ideas and insight about such a timely topic in Identity Management

Today, the highlights of the Tweet Jam were posted on Storify.  I was pleased to see that my concluding tweet was published:

I look forward to participation in further IAM Tweet Jams.

Thanks, Mike, for hosting this event.

Arbiter:

• a person empowered to decide matters at issue; judge; umpire
• a person who has the sole or absolute power of judging or determining.

When I read the recent Computerworld article, “Facebook: The new arbiter of enterprise identity” this morning. I didn’t quite know what Arbiter meant, so I looked it up.

Robert Mitchell commenced his article by stating:

Today Facebook knows your identity. Tomorrow Facebook may very well be your identity. Before long, enterprise identity and access management may key off of social media identities rather than remaining an island unto itself. Are you prepared? That’s the message that Gartner analyst Earl Perkins passed on to attendees at the Gartner Symposium/ITxpo conference last month.

I know I’m not ready, and highly doubt my employer is ready to cede “absolute power of judging or determining” to Facebook or any other independent entity.  We have a long way to go before any corporation in its right mind would trust Facebook or any other popular social media site to authoritatively vouch for the identities of their employees.

I agree with Jackson Shaw’s observation in his comment to the article:

… until there is some sort of formalized identity verification done around Facebook it will be difficult for an enterprise to simply accept a Facebook credential. Is that Facebook user really me? Also, what about stronger password policies (length of password, change period, complexity, use of strong two-factor authentication) and better security generally for Facebook? There needs to be more enterprise security built into Facebook before it can ever be used by an enterprise.

So, let’s wait and see.  I think it will be a long time before Facebook or any other identity provider supplants the core identity management infrastructure of major enterprises.  Complement, certainly.  Replace?  It will take a while.

I enjoyed reading Ian Yip’s blog post this morning: “Identity is the Foundation.” The heart of the message:

We need to be stating the fact that Identity is foundational to the enterprise. i.e. Identity is the foundation. (emphasis addeed)

As far as identity is concerned, we need to think about it a little differently than we have in the past. Identity is less about the “who we are” and more about “what we are”. We care a lot more about what normal usage patterns look like, what someone is currently doing and what else they could potentially do. In other words, identity today is so much more than it used to mean in the past. It is really about reputation, relationships, context, activity, behaviour and being able to take fast, appropriate action in reaction to things that happen.

I think the concept that identity is a dynamic and immediate is solidly in step with modern business reality.

I attended a very thought-provoking Kuppinger Cole webinar last week, entitled, “SAML is Dead.  Long Live SAML,” featuring Craig Burton of Kuppinger Cole and Pam Dingle of Ping Identity.  It is now available as an on demand webcast.  My favorite slide addressed the sheer scale of what we are expecting to see in just a few years.

We are all familiar with big, complex operations now:

• Large enterprise Identity repositories:  hundreds of thousands
• Large mobile telephony user repositories: low hundreds of millions
• Large social media sites: high hundreds of millions

Adding addressable devices and the API’s to support those devices is mind boggling.

• Devices by 2015:  almost 3 billion
• API’s to support all those devices: almost 27 billion

Meeting that demand will take some real innovative technology and processes.  The webcast was certainly worth an hour of my time.  I highly recommend it to you.