eye-dentity

could it be that identity is in the eye of the beholder?

In some e-mails going around, it was posed that identity is intrinsically linked to reputation. I'm not so sure ...

There's a duality to identity and reputation in a
real-world context.  I can identify a subject based on
information, but that subject's reputation with me
might be based on the context (e.g. fingerprints
identify an individual, maybe a criminal).  In other
cases, the subjects reputation becomes their identity,
in absence of any other information.

But I think Kim said it one-better ...

Trust decisions are always ultimately local - judgments
made from the vantage point of the "relying" party.  The
relying party needs always to evaluate who is positing
both identities and reputations, and act accordingly.

one view on making user-centric convienent

In his recent blog, Dave writes "Putting users in control of their own data, and needing to approve and verify it's dispersal, could cut a majority of this fraud."

The one thing I keep thinking of regarding Identity 2.0 and user-centric models is this:

* Any improvements to prevent identity theft have to be as user-friendly as credit cards ... you use it, others trust it, they track the use and distribution and notifies you of suspicious behaviour

Unless it's that easy, and that much a part of the infrastructure, people wont' be bothered unless they're a victim. I'm educated, but even I don't have time to manage my own information. I hire a financial advisor for my portfolio, so I don't have to track it daily. I use credit cards because they're convienent. I don't feel safe, but accept the risk as trade-off for the free-time to live my life.

The problem with large infrastructure is that it may become stagnant (inflexible), and thus subject to penetration (e.g. the current ATM and Credit Card industry today). Data Collectors and Identity Service Providers could be like Credit Card companies ... they might provide the convience required to make user-centric identity work, but are subject to stagnation if not managed properly.

---------------

Dave also writes: "Institutions seem powerless to prevent the fraud from happening. Or are simply reluctant to take the steps necessary. Users have a much bigger stake ... User-centric identity is an idea whose time has come, it's time that the corporate world recognized it."

Since I focus on IdM for the corporate world, it's not a matter of recognizing it, it's a matter of investment. As Jarrod Jasper said "there is no ROI, but companies are willing to pay to relieve pain ... redirecting money wasted manually cleaning-up information vs. permanently fixing the problem". Corporations are now IT-Value focused ... unless it's going to affect the bottom-line, it's not high priority.

User-centric identity will be a focus point only after it's realized to be tied to regulatory compliance and identity theft. The first corporate market will be retail ... they already focus on identity because they're incented to ... they want to know who's buying from them and that it's not fraudulant purchases.

Corporations are still wrestling with the fundamentals of user-registration, synchronizing and cleansing data, and sox compliance. They barely trust that the data they own is accurate, let alone trusting the user with owning the information. So it'll be a while before they care.

catch-22 on web services for identity management

David Kearns writes:

"the era of the suite was now passing by and that the future lay with modular services within a Web services/service oriented architecture framework from one or more vendors was the wave of the future" http://www.networkworld.com/newsletters/dir/2005/0718id1.html

In the few Web Service applications I've seen written, the programmers have not transcended into a more secure means of doing application-level identification, authentication, and authorization. Some have latched onto SAML, where it's available, but that's not always the case in most corporations. Iin my industry it seems like they are using Web Service as a mechanism to re-face legacy applications. In those cases, the ID and Password for the legacy application authentication still remains embedded in the web-app. Seems to me like an identity management solution needs to exist for the Web Services and applications before IdM solutions can be built on Web Services.

Furthermore, the UDDI registry isn't holistically deployed. Seems to me like this DNS-like infrastructure would also need to exist. Who's building it? I dont' know ... guess I have more reading to do ...

what defines a highly available are Web security architecture?

Everyone is saying that all the web security products have all the same bells and whistles. That's not true if you study the high-availability architectures of the products.

Most Web security Agents (Policy Enforcement Points) call back to a central Policy Server (combination of Policy Decision Point & Policy Management Point) to have any decisions made ... so, what happens when you have remote sites with slow connections, or have a high volume? Well, either the agent doesn't work, or the Policy Server dies from overload. Yes, you can horizontally and vertically scale the Policy Servers, but that only goes so-far.

Therefore, one should look for a solution which puts the PEP & PDP together. Tivoli Access Manager is one product that took this course. TAM distributes the rules from the PMP to the PDP to be executed locally. This means each application protected by the Web security domain can scale independantly, without also having to also scale any shared infrastructure. This is very beneficial for those organizations whose line-of-business have their own budgets, and don't like to pool their monies together. The other benefit is that the PEP/PDP pair (if given a small directory replica) can run fairly independantly, even if disconnected from the PMP and master Directory. Very useful for Plants in Brazil, where the link is a 56K DS0 over Satellite.

WARNING: Laws at Play

ok, now that I just gave a couple data-points for justifying IdM projects, I have to put in a warning:

* The Law of Diminishing Returns is At Play

If your project is going to be multiple years in the making, be forewarned that a sharp financial leader will re-baseline the environment yearly. What does this mean? It means the savings from Year-1 cannot be applied to Year-2 ... and your job just got harder.

Example1: You implement password synchronization and save $1M in a $5M help-desk cost this year. Next year, the help-desk is a $4M problem as a result of re-baselining. Your $1M savings has already been realized, and now you need to figure out how to extend your initial investment to save more for Year-2.

Worse yet, your solution may not yeild as much savings as you thought ... in fact, it may be just the opposite.

Example2: Your new help-desk tool now costs $5ooK to operate yearly. Thus, in year-2 you now added $500K back to the help-desk, making it a $4.5M problem. In year-3 you're back to $5M, and in year-4 you're at $5.5M.

At that rate, you'll be faced with the problem of: Why didn't you just outsource this to Kuala Lumpur? You're fired.

comment on Mike N.'s cost-justifications - Productivity

While Mike N. did hit the general points for justifying an IdM project, he seemed to miss-out on the value of end-user productivity. Most companies have left this as a "soft dollar" item. Manufacturing organizations, however, realize that this is a "hard dollar" item. It's tied not only to expenditure (e.g. payroll), but to revenue (e.g. if there's a strike, can't make product, can't sell product). Lost Engineering Hours, Lost Units Produced, Lost Days Worked are all units of measure which can have average salaries applied, and can be directly used to drive the ROI model for an IdM project.

comment on Mike N.'s cost-justifications - Help Desk

In the BurtonGroup Root Document "Enterprise Identity Management: Moving from Theory to Practice", Mike Neuenschwander iterated many valid points for justifying IdM projects. A few, though, aren't real when considering an IT-Outsourced environment.

Many organizations outsource some element of their business, usually the Help Desk. Just because a tool, such as password self-service, reduces one type of call, does not intrinsically mean there's a savings. Quite often the contract is fixed, and instead of reducing heads, those heads would be reallocated to reducing other types of calls, or improving first-time resolution.

In short, don't assume that you'll reduce any heads anywhere as a result of technology. Those heads will most likely be re-used to fix other failing processes of your organization.

though we lie, our biometrics don't

Bob's axioms were in full play at the conference last week. When people meet, they say some things about themselves, maybe more than what's truthful or accurate, or maybe not much at all. We do this all the time, but does it make us any less identifyable? I think not. The biometric aspects are still there if we choose to use them (face, fingerprint, dna). We may come to require this for any secured transaction someday, if all else fails, and if new security measures aren't intuitive to someone with barely any education.

should I be glad there's stereotypes?

On the way out of the hotel at the Burton Catalyst conference, I ran into a colleague who was going to the airport as well. He handed me his keys to get the car from the valet.

Handed the keys to the valet, and he asked for the last name on the account ...

"Al-Hadidi" I said.

"You're not an Al-Hadidi" he replied.

True, I'm about as white as Wonder Bread. While his comment was rude, and while he inconvienenced me (he wouldn't go get the car until my colleague arrived), I can see the point ... most people wouldn't think twice, and might have just handed-over the car to a thief.

ok, so it's time to rejoin ...

Wow, so I'm back on the net. Been a while since I did anything outside of work. *deep breath* Yeah, feels good.