I enjoyed reading Ian Yip’s blog post this morning: “Identity is the Foundation.” The heart of the message:

We need to be stating the fact that Identity is foundational to the enterprise. i.e. Identity is the foundation. (emphasis addeed)

As far as identity is concerned, we need to think about it a little differently than we have in the past. Identity is less about the “who we are” and more about “what we are”. We care a lot more about what normal usage patterns look like, what someone is currently doing and what else they could potentially do. In other words, identity today is so much more than it used to mean in the past. It is really about reputation, relationships, context, activity, behaviour and being able to take fast, appropriate action in reaction to things that happen.

I think the concept that identity is a dynamic and immediate is solidly in step with modern business reality.

Recently, I have received several invitations to join the “schoolFeed by Classmates” app on Facebook – from people I knew and went to school with in Richfield, Idaho, many years ago.  I am very, very selective these days about which apps I authorize, by I finally signed up.  When I joined the app, I hoped to connect with a few new people whom I haven’t seen for ages.  However, I was presented with a long list of folks who all graduated from Richfield High School – just not the tiny one I attended with only 13 people in my graduating class!

The trouble with this app is that it apparently fails to recognize that “Richfield High School” can apply to any number of high schools in the country, not just the tiny one I went to. I suppose those on the list are all nice people, but just not the ones I remembered.  But I did get a nice complement for a picture I posted from a person I had never met!  How bad is that?

This is a clear example of how attaching an attribute like “Richfield High School” to my online identity does little good unless that attribute is unique enough to satisfy the need for which it was intended.  In this case, it fell woefully short!

But the app is in “beta” release – which automatically forgives all blatant errors, even if they strike at the very heart of the app’s driving purpose, right?

In response to requests that I refresh my Discovering Identity blog that has been lying dormant on blogs.oracle.com since February 2010, I have commenced today to satisfy that request.

I created this blog on blogs.sun.com in May 2005 and updated it regularly until Oracle acquired Sun in February 2010, at which time I switched to self-publishing the blog here at discoveringidentity.com.  The full archive of my posts from May 2005 to February 2010 is available on this site and also on the oracle.blogs.com site.  From now on, I will publish items of interest to the Oracle community on both sites and address issues beyond that scope on this discoveringidentity.com site.

If anyone has items you would like me to address specifically on the blogs.oracle.com site, please let me know.

I recently participated in an Identity and Access Management architecture session where I was asked a direct question, “Do you consider user attributes not stored in the main directory a part of user Identity?”  When I said yes, a few people seemed somewhat perplexed.  Please let me explain my point of view.

I think there is a propensity to think that “Identity attributes”  are strictly limited to those stored in a directory user object.  That focus is too narrow.  While it may be that the “Identity Management System” only knows about those attributes, the sum total of real Identity information can be much broader.  This broader view of Identity is essential if we hope to leverage Identity Management to enable innovative business models.

For example, if I am an online vendor hoping to leverage user Identities to provide a highly personalized user experience for my customers, I must not rely only on the user object in the authentication directory.  A more rich set of Identity data comprising history, preferences and real-time context must be considered. This information may reside in multiple repositories.

Just my thoughts.  What do you think?

What are the most frequent requests I hear from Identity and Access Management customers?  “How can I use this stuff most effectively?”  “What are the best practices?”

Features and functions, speeds and feeds are not front and center in the dialog.  The main topic of conversation tends to revolve around the best practices for using IAM to business advantage.  What have we collectively learned that will make success easier to achieve and more predictable?

In the maturing IAM industry, we have made great strides in learning how to install and configure IAM technology.  Many companies have learned how to derive business value from IAM.  Unfortunately, we haven’t done a good job of consistently documenting and sharing the experiences we have all gained in making it all really work. We have not consistently distilled experience gained into prescriptive recipes for success.  Customer success stories provide good anecdotal evidence, but fall short of being prescriptions for success.  We have precious few white papers that focus on how to make things work, rather than on extolling features and functions.

It would be an interesting exercise to interview a wide range of companies that have implemented IAM, derive from that body of collective knowledge what really works and what doesn’t, and present that information in a set of best practices that can help others succeed.  Book idea? We’ll see.

This afternoon, I received word that Veriphyr, a provider of SaaS Identity and Access Intelligence services, announced the results of new survey on Protected Health Information (PHI) privacy breaches. According to the report,

More than 70 percent of the organizations in the study have suffered one or more breaches of PHI within the last 12 months. …

Insiders were responsible for the majority of breaches, with 35 percent snooping into medical records of fellow employees and 27 percent accessing records of friends and relatives.

Some interesting statistics:

Top breaches in the past 12 months by type:

• Snooping into medical records of fellow employees (35%)
• Snooping into records of friends and relatives (27%)
• Loss /theft of physical records (25%)
• Loss/theft of equipment holding PHI (20%)

When a breach occurred, it was detected in:

• One to three days (30%)
• One week (12%)
• Two to four weeks (17%)

Once a breach was detected, it was resolved in:

• One to three days (16%)
• One week (18%)
• Two to Four weeks (25%)

79% of respondents were “somewhat concerned” or “very concerned” that their existing controls do not enable timely detection of breaches of PHI

52% stated they did not have adequate tools for monitoring inappropriate access to PHI

The report’s conclusion was not surprising:

Respondents who indicated strong satisfaction with their monitoring tools also tended to report fewer breaches of PHI and faster resolution times. The reverse is also true: respondents who indicated dissatisfaction with their monitoring tools tended to report more breaches and longer resolution times.

In an Oracle webcast on September 20th, Scott Bonnell, Sr. Director of Product Management, Oracle, and Naresh Persaud, Director of Product Marketing, Oracle, will explore how the Oracle identity platform can mobilize stalled deployments, allowing customers to accelerate identity projects.

This complimentary Webcast will show how the Oracle identity platform can:

1. Mobilize and complete your identity management project
2. Coexist with or replace your existing identity management point solution
3. Reduce security risk and improve regulatory compliance

On September 22nd, I will give two presentations at the Oracle Security Solutions Forum held at the W Hotel in Scottsdale, Arizona:

• Identity Management 11g: A Giant Leap in Identity Management
• Addressing Access Governance with Oracle Identity Analytics 11g

If you plan to be in Arizona on the 22nd, please drop by and join us!

Do you lapse into the “Audit Eye” trance when facing a tough audit?

Oracle Identity Analytics can help … really!

During the past three weeks, I have interacted with three major customers, in industries as diverse as transportation, apparel and entertainment, that had one thing clearly in common – each saw Identity and Access Management as a fundamental, critical enabler for new business models each company is pursuing.  It is all about knowing who your customers are individually, and interacting with them in a highly personalized, tailored way, in the context of their choosing.

Today I sat through a presentation that depicted IAM in the traditional context, as something that would improve compliance, increase operational efficiency and enhance security.  While these drivers are still valid, I couldn’t help but contrast those two views.

On one hand, IAM is considered to be very defensive in nature, necessary but burdensome.  On the other hand is an innovative vision that IAM is first and foremost a proactive, offensive weapon and business enabler, secondarily a protective shield.

Can you tell where I’d rather play?