The Intersection of Policies, Standards & Best Practices for Robust Public Sector Cloud Deployments
Last week I was invited to attend the 2012 International Oasis Cloud Symposium.
I was very impressed. The attendance was not large—in fact—the organizers limited the number of attendees to 125 people. I was not able to attend the first day, but the second day was lively with many interesting presentations and discussions.
I won’t go over the complete agenda, if you want to it can be located in PDF format here.
Overall I would say every presentation given was worth listening to and the information was both valuable and informative. Not all of the presentations have been posted yet but a good number of them—including mine—can be found at this location.
I wanted to highlight a few of the presentations that were especially interesting. Again, I think all of them are worth looking at, but here are some highlights.
Privacy by Design
The day started out with the Information and Privacy Commissioner of Ontario Canada—Dr. Ann Cavoukian—giving a presentation via videoto the group on Privacy by Design. Her message was that she and Dr. Dawn Jutla—more about Dr. Jutla in a second—are co-chairing a technical committee on Privacy by Design for software Engineers.
“It’s all about developing code samples and documentation for software engineers and coders to embed privacy by design into technology. We are going to drill down into the “how to” in our technical committee.”
Following the video by Dr. Cavoukian, Dr. Dawn Jutla gave a presentation about Privacy by Design (PbD).
Now I have heard of Dr. Cavoukian and the PbD movement. But I had never been exposed to any details. The details were amazing and I like the 7 Foundational Principles.
1. Proactive not Reactive; Preventative not Remedial
2. Privacy as the Default Setting
3. Privacy Embedded into Design
4. Full Functionality—Positive-Sum, not Zero-Sum
5. End-to-End Security—Full Lifecycle Protection
6. Visibility and Transparency—Keep it Open
7. Respect for User Privacy—Keep it User-centric
These are sound principles that make a lot of sense. So much so that I invited Dr. Jutla to attend the Internet Identity Workshop (IIW) and to jointly present with me a discussion about Privacy and Identity in an API Economy.
If you look at the agenda, the rest of the speakers presenting on privacy were stellar. I learned a lot.
I strongly recommend looking over the agenda and reviewing the presentations that interest you. For most organizations, this should be every plenary and every discussion group.
I was also impressed with the Oasis’ ability and willingness to invite seemingly competitive groups, like iso.org, ANSI, and Kantara. This is the way standards body should work when it has the best interest of the industry and objective of open standardization.
Kudos to Laurent Liscia and the entire OASIS organization for the execution of a great event.
National Institute of Standards and Technology awards $9M to support trusted identity initiative
On September 20, 2012, the National Institute of Standards and Technology (NIST) announced more than 9 million USD dollars of grant awards in support of the National Strategy for Trusted Identities in Cyberspace (NSTIC).
The grants were awarded to five consortiums. All of the big. All of them representing different views and technologies with strong focus on identity, security, and trust.
While many identity and security professionals are familiar with the Obama administrations NSTIC program, many international professionals are not. In order to address all of KuppingerCole’s constituents, some background information is useful.
The impetus for the NSTIC policy move by the Obama Administration is part of the Cyberspace Policy Review published in June 2009. The administration appointed Howard Schmidtin a new Cyber Security Coordinator position. Schmidt is a well-known security expert and is experienced in international security policies and technologies.
On Tuesday, December 22, 2009, Schmidt was named as the United States’ top computer security advisor to President Barack Obama. Previously, Schmidt served as a cyber-adviser in President George W. Bush’s White House and has served as chief security strategist for theUS CERTPartners Program for the National Cyber Security Division throughCarnegie Mellon University, in support of theDepartment of Homeland Security. He has served as vice president and chief information security officer and chief security strategist foreBay.
Under Schmidt’s direction and managed by NIST, the first draft of NSTIC was published in draft form in June of 2010. The draft received much criticism for the lack of privacy protection for individuals and the size of the role played by the government. A final draft was rewritten and published in May of 2011. In the final draft, the role of the government was reduced and privacy issues were addressed.
The stated objectives of the NSTIC initiative are:
NSTIC is a White House initiative to work collaboratively with the private sector, advocacy groups and public-sector agencies. The selected pilot proposals advance the NSTIC vision that individuals and organizations adopt secure, efficient, easy-to-use, and interoperable identity credentials to access online services in a way that promotes confidence, privacy, choice and innovation.
“Increasing confidence in online transactions fosters innovation and economic growth,” said Under Secretary of Commerce for Standards and Technology and NIST Director Patrick Gallagher. “These investments in the development of identity solutions will help protect our citizens from identity theft and other types of fraud, while helping our businesses, especially small businesses, reduce their costs.”
NSTIC envisions an “Identity Ecosystem” in which technologies, policies and consensus-based standards support greater trust and security when individuals, businesses and other organizations conduct sensitive transactions online.
The pilots span multiple sectors, including health care, online media, retail, banking, higher education, and state and local government and will test and demonstrate new solutions, models or frameworks that do not exist in the marketplace today.
As expected, NIST picked big consortiums with big ideas for identity and trust across a broad spectrum on technologies and market segments. Here is what the basics are about its choices for the consortiums:
“These five pilots take the vision and principles embodied in the NSTIC and translate them directly into solutions that will be deployed into the marketplace,” said Jeremy Grant, senior executive advisor for identity management and head of the NSTIC National Program Office, which is led by NIST. “By clearly aligning with core NSTIC guiding principles and directly addressing known barriers to the adoption of the Identity Ecosystem, the pilot projects will both promote innovation in online identity management and inform the important work of the Identity Ecosystem Steering Group.”
The grantees of the pilot awards are:
The American Association of Motor Vehicle Administrators (AAMVA)(Va.): $1,621,803
AAMVA will lead a consortium of private industry and government partners to implement and pilot the Cross Sector Digital Identity Initiative (CSDII). The goal of this initiative is to produce a secure online identity ecosystem that will lead to safer transactions by enhancing privacy and reducing the risk of fraud in online commerce. In addition to AAMVA, the CSDII pilot participants include the Commonwealth of Virginia Department of Motor Vehicles, Biometric Signature ID, CA Technologies, Microsoft and AT&T. Criterion Systems(Va.): $1,977,732
The Criterion pilot will allow consumers to selectively share shopping and other preferences and information to both reduce fraud and enhance the user experience. It will enable convenient, secure and privacy-enhancing online transactions for consumers, including access to Web services from leading identity service providers; seller login to online auction services; access to financial services at Broadridge; improved supply chain management at General Electric; and first-response management at various government agencies and health care service providers. The Criterion team includes ID/DataWeb, AOL Corp., LexisNexis®, Risk Solutions, Experian, Ping Identity Corp., CA Technologies, PacificEast, Wave Systems Corp., Internet2 Consortium/In-Common Federation, and Fixmo Inc. Daon, Inc.(Va.): $1,821,520
The Daon pilot will demonstrate how senior citizens and all consumers can benefit from a digitally connected, consumer friendly Identity Ecosystem that enables consistent, trusted interactions with multiple parties online that will reduce fraud and enhance privacy. The pilot will employ user-friendly identity solutions that leverage smart mobile devices (smartphones/tablets) to maximize consumer choice and usability. Pilot team members include AARP, PayPal, Purdue University, and the American Association of Airport Executives. Resilient Network Systems, Inc.(Calif.): $1,999,371
The Resilient pilot seeks to demonstrate that sensitive health and education transactions on the Internet can earn patient and parent trust by using a Trust Network built around privacy-enhancing encryption technology to provide secure, multifactor, on-demand identity proofing and authentication across multiple sectors. Resilient will partner with the American Medical Association, Aetna, the American College of Cardiology, ActiveHealth Management, Medicity, LexisNexis, NaviNet, the San Diego Beacon eHealth Community, Gorge Health Connect, the Kantara Initiative, and the National eHealth Collaborative.
In the education sector, Resilient will demonstrate secure Family Educational Rights and Privacy Act (FERPA) and Children’s Online Privacy Protection Act (COPPA)-compliant access to online learning for children. Resilient will partner with the National Laboratory for Education Transformation, LexisNexis, Neustar, Knowledge Factor, Authentify Inc., Riverside Unified School District, Santa Cruz County Office of Education, and the Kantara Initiative to provide secure, but privacy-enhancing verification of children, parents, teachers and staff, as well as verification of parent-child relationships. University Corporation for Advanced Internet Development (UCAID)(Mich.): $1,840,263
UCAID, known publicly as Internet2, intends to build a consistent and robust privacy infrastructure through common attributes; user-effective privacy managers; anonymous credentials; and Internet2′s InCommon Identity Federation service; and to encourage the use of multifactor authentication and other technologies. Internet2′s partners include the Carnegie Mellon and Brown University computer science departments, University of Texas, the Massachusetts Institute of Technology, and the University of Utah. The intent is for the research and education community to create tools to help individuals preserve privacy and a scalable privacy infrastructure that can serve a broader community, and add value to the nation’s identity ecosystem.
High Level Analysis
In terms of government initiatives, NSTIC has been moving at lightning speed. Jeremy Grant has been a proactive advocate of the initiative and is articulate and capable leader. It shows from the choices of these consortiums and their constituents.
At the same time—9 million dollars spread across five initiatives; each with many mouths to feed—does not go very far and can be used up very quickly. It will be interesting to see how far each will proceed over the next twelve months. I chose 12 months because I can’t see how the money awarded to each group will last much longer than that.
Each group will need to put a plan together and execute in that time frame if they are to survive.
Over the next short period, we will take a closer look at each initiative, what their respective architectures look like, and what the specific objectives are in their roles in the identity ecosystem outlined my NIST.
Of course, I will be paying special attention to what each consortium has planned as an API Economy strategy. Each will need to have a solid API design that gives all of the other groups API access to all of the services through both the Web Services legacy (SOAP) and the emerging API Economy imperative (RESTful).
If each group does not have a solid SOAP/RESTful API strategy, they simply will not succeed—either individually or as a whole.
I know it sounds strange coming from me that an organization should continue embracing the SOAP legacy, but there are just too many government and non-profit organizations that cannot afford to jump to the real world quickly and must continue carrying the burden of the past. So it is sometimes.
Of course there are many more issues involved with success of this initiative beyond APIs, these issues will be covered more in depth in subsequent KuppingerCole reports and activities at the EIC Conference in May 2013.
Nonetheless, we see this movement by the NIST of granting these award as positive and will have reverberating impact on the Identity community—across the glove—for the good for some time to come.
Salesforce Identity provides Identity and Access Management (IAM) services for Web and mobile applications, delivered through the simplicity, transparency, and trust of the Salesforce Platform.
For users, Salesforce Identity means no more frustration juggling passwords for each application. Login once and seamlessly access all your applications and data using Single Sign-On from a single, social Identity.
Administratorsgain control and flexibility over access to applications by automating identity and access management processes through the simplicity you’ve come to expect from Salesforce.
CIOscan leverage existing authentication investments, while gaining control and peace-of-mind over your cloud investments via centralized reporting and deprovisioning.
Developerscan build Web, mobile or tablet applications on the Salesforce Platform or on any third-party platform through simple standards based integration.
ISVs can tap into the power and distribution of AppExchange and Login with Salesforce regardless of where their app runs, be that Force.com, Heroku, mobile, or any other cloud.
High Level Analysis
I find is so fascinating that the laggard in joining the Cloud Computing parade—Microsoft—was the first to announce an IdMaaS initiative in a very low key understated way. And that the leader in the SaaS movement—Salesforce—shouts its IdMaaS strategy from the rooftops at its mainstream technology conference with Marc Benioff leading as the main spokesperson. It so underlines how clueless Steve Ballmer is to the issues facing Microsoft and its customers.
There are some people at Microsoft that know this. This does not include Steve Ballmer.
As of today, everybody at Salesforce knows it and can’t avoid it. Marc Benioff made the announcement and outlined the vision for Identity in Salesforce’s future.
Putting it another way, the Computing Troika—Cloud Computing, Mobile Computing, and Social Computing—have forced to surface the issue of digital identity being the keystone technology issue for everything.
Without a tractable implementation of identity for the entire industry to use—think IdMaaS—all entrances to the future of computing collapse—the identity keystone holds it all together.
With Salesforce entering the IdMaaS business with its substantial vision, leadership and technology resources cannot help but have a positive effect for everyone in the long term.
Of course we will have to wait and see exactly what Salesforce delivers in the initial IdMaaS implementation, but Chuck Mortimore has an impeccable track record and knows his stuff.
I am impressed and will follow up after more information is available.
This morning over coffee I was gesturing through Zite — the iPhone and iPad personal publishing review app. There was my blog post in the headlines.
I realize that Zite personalizes the headlines so probably no one else saw that, but that seemed pretty cool.
Anyway, it got me to thinking what kind of things I would like to have access to in WAAD to see if it is going to work and meet some of the tough requirements.
Keeping it simple, here is what I came up with.
Give me Devices and Device Management in the Cloud
Give me a way to put my devices into the cloud and get events from them, manage them, and allow other apps and systems to manage them.
One way to do the whole thing would be to use the Windows Management Instrumentation design and Apples System Profiler.
Both systems are kind of old and have a legacy of issues around them. But that is perhaps the whole point. Make the legacy management namespaces work. Why reinvent them? Just use the moment to fix the inherent problems and move forward. We need a schema for known devices. No sense in creating a new one. Use the namespace we have; despite its complexities and detractors.
Built in to Windows is a management instrumentation framework. It’s called Windows Management Instrumentation. It’s a cool design but old and hard to get to—the rigorous but complicated Common Information Model and SOAP—both keep accessing WMI relatively hard.
The Apple System Profiler is also relatively complicated requires the use of Apples IOKit.
So here it is—give me device registration and management with a RESTful interface and JSON data format.
Here is on step better, when devices raise events, use the evented-api architecture — or an equivalent — and post them to a webhook so other apps can take independent action on the event.
Why Device Management in the cloud would be Cool
The identity explosion is upon us. Cisco recently published a report covered by Network World that predicts there will be 3 times as many devices as people by 2016 (18.9 billion) — I predict this number is conservative. Let’s see if we can securely put the management and profiling identifiers in the cloud, protect privacy, and enable access.
This way we keep things simple and we don’t have to start with people identifiers which tend to get people all worked up. People can readily start to see why device identifiers and claims in the cloud are useful. Other developers can throw in their management expertise and quit spending so much time building identity infrastructure for protection — after all, doing more with less resources is one of the core purposes of IDMaaS.
Do you have a better idea or any request about WAAD? Let me know and I will post it and see how Microsoft responds.
At the first of the month I attended IIW 14 in Mountain View. I also attended the VRM workshop on the 30th. The VRM workshop was hosted by Ericsson. The IIW was held at the Computer History Museum.
Before I summarize what happened at those events, I want to give a little background on IIW.
IIW uses a format referred to as an “unconference.” The main purpose of an unconference is to avoid the traditional design of a conference. A way I have heard it described is the format developed by Harrison Owen. Legend has it that Owen noticed that during a conference, most of the real activity and deals were going on out in the hall during the breaks.
He questioned “why can’t we create a conference that works like being out in the hall all of the time?” IIW is more about that.
Here are the main operational points:
In the morning of the first day, everyone attending introduces themselves and tells all of the other attendees who they are, who they represent, why they are there and what they expect to get out of the conference.
After that, anyone is invited to create a session and a topic. Each person with a topic stands up and says what the topic is and the purpose of the session. Everyone then rushes to the open space scheduling wall and gets a particular space and time slot during the day. This is self-managed. Figure 1 shows a portion of the scheduling wall.
Figure 1: Open Session Scheduling Wall
Each time slot is 50 minutes long. Each session starts at the top of the hour. Anyone can attend any session they desire.
At the end of the day, the session leader—or someone that attended the session—gives a summary of the session. Session notes are to be emailed and posted on the IIW Wiki later.
In closing, there is an acknowledgement ceremony.
Figure 2: Acknowledgement Ceremony
In this ceremony, anyone is invited to stand up and acknowledge anyone else for anything that is relevant to the workshop. This is done by giving the person a choice of wine or chocolates. Figure 2 shows the acknowledgement ceremony and shows Doc Searls acknowledging someone.
Each day then follows the same format except that only new people who did not introduce themselves the first day are introduced.
VRM Day Overview
The entire day was discussing projects and products that are finally starting to use VRM as their underpinnings.
We also talked about Doc Searl’s new thinking about VRM. The best place to review that is by watching his presentation given at the KuppingerCole EIC 2012 conference.
Here were some of the topics discussed.
Open API Economy
Life Management Platforms
Selling the first Vendors – Who Goes First
VRM and CRM
IntentCasting Networks – beyond the cliche: vertical use cases
UI and UX for VRM, PDS, R-buttons, ToS, Cheese
Personally Asserted Terms and Conditions
Sovereign ID vs. Admin ID
Customer Commons: Live!
This year’s sessions were very diverse, but there were some consistent themes every day.
There were more VRM sessions this year than I have ever seen. I attribute this explosion of sessions to the release of Doc’s Book—The Intention Economy. Usually there was an entire day of VRM sessions every day of the workshop. On the first day, I attended almost all of the sessions. The VRM community is very broad and does not lean so much on Doc for its progress. Everyone was very excited about the book and the concepts there.
In several of the sessions I focused on the link of the Open API Economy, the Life Management Platform and the roles of these two trends as they relate to VRM. From our opinion at KuppingerCole it is important to point out that VRM is much more than the counterpart to CRM and includes many more things that just e-commerce and shopping. People were very responsive to these perspectives.
Another cool result of all this is the new post that Doc Searls put up on the VRM Wiki adding and attributing KuppingerCole to the term Life Management Platform.
Almost a thousand people (998) have viewed this presentation since the workshop – I’m really impressed.
Other API discussions were around OpenID Connect and SCIM.
The three most active protocol discussions centered around OpenID Connect, SCIM and XDI. In addition, every discussion talking about any type of service, from privacy to personal data stores, talked about their status and intent to provide API access.
The Open API meme is clearly on fire and KuppingerCole is viewed as the thought leader around this topic.
The entire community is very excited about Open ID Connect and SCIM as they are protocols seen to solve serious problems, programmatic access to endpoints through the SAML namespace, and programmatic protocols for automated provisioning.
There was a lot of discussion concerning privacy and the meaning of privacy. Scott David contributed significantly to this discussion with legal definitions and implications. The question kept coming up on how to build products that satisfy personal and legal privacy requirements across international boundaries. Especially since the requirements, laws and social conventions are not well defined. Again, KuppingerCole’s approach of Life Management Platforms provides some interesting thoughts (and maybe answers) on that.
Personal Data Stores, Personal Data Lockers, Personal Clouds, Freedom box and on and on.
The meme about Personal Data is very much on the move and in flux. Almost everyone who says they are working with Personal Data has a different notion of what it is and how it should work.
One of the presenters opened with a great joke from Steven Wright that is a useful analogy about personal data. It goes “I have a large seashell collection which I keep scattered on the beaches all over the world. Maybe you’ve seen it.”
One of the most fun and interesting personal data sessions was around the freedom box. Markus Sabadello managed this session.
This link gives a review of the session. He also brought up the Life Management Platform. He didn’t quite get it right, but I like it that the term is being inserted in the discussion. Life Management Platforms are much more than just data stores; there is much in it about how to ensure the secure and privacy-aware use of personal data – e.g. not just storing, but using them the right way and enabling new (and improved) forms of business.
IIW is well run and is mature and consistently meets it purpose of quality discussion and advancement of personal identity issues.
IIW 14 topics were spot on, fresh and informative.
The biggest complaint I have about IIW is that there are no notes posted for many of the sessions.
The VRM Workshop was well attended and reflects the interest shown at the KuppingerCole EIC 2012 conference.
Perhaps this year we will finally see some products that are VRM oriented.