The U.S. government announced plans to put in place within the next five years measures designed to make it impossible to pass on sensitive information to the likes of WikiLeaks. They hope to accomplish this by “tagging” information so it can be tracked in case someone shares it with outsiders.

The idea of creating “information-rich information” is obviously the right way to go in addressing privacy and security concerns in the Digital Age. It is possible, technically at least, to attach rules to individual pieces of information, such as who is allowed to do what with it and what happens if someone who isn’t authorized tries to access them or pass them on illegally. In fact, that is the whole idea of “information-centric IT security, a buzzword that is gaining popularity among Digital Identity Management experts and privacy advocates.

But by publically announcing their aim of stopping another WikiLeaks-style exposure of classified information just shows that the Official Mind has yet to grasp the real implications of the Digital Revolution. “Information wants to be free” was originally a clarion call by Internet activists who believed that transparency should be the hallmarks of an open society. In fact, the real motto is best encompassed in what I once dubbed “Cameron’s Law”, after Microsoft’s “identity guru” Kim Cameron, who once postulated that “sensitive information will be leaked”.

Yes, we all need to do all we can to protect privacy and guard crucial bits of information. But we should also be prepared for the worst. IT Security can create a false sense of confidence in our own defense mechanisms. At least as important as plugging holes in the dyke is to prepare oneself for the moment when the levees break and the floodwaters start to rise. Maybe “Remember New Orleans” would be a good slogan for security professionals to hang on their walls.

I found it particularly poignant to read the name of the official in charge of U.S. government efforts to create the Totally Secure System: Jim Clapper, the Director of National Intelligence, the mention of whom bring irresistibly to mind the old nautical expression about “clapping a stopper” over something, meaning to block something effectively. “Clapper” is actually the word for a safety valve – and as any engineer will tell you, the function of a valve is to let something out before the pressure reaches dangerous levels and pieces of stuff start flying around.

Of course, controlling the release of data so that only authorized individuals are able to see and use them is in fact what Identity Management is all about – or should be.

The European Identity Conference EIC, which recently ended here in Munich, had many highlights, but for me personally the very best was the keynote by the Italian psychologist Dr. Emilio Mordini, CEO of the Centre for Science, Society and Citizenship CSSC in Rome, which he describes as a leading independent research centre specializing in advice on political, ethical and social issues raised by emerging technologies. His topic was “Secrecy in the Post Wikileaks Era“, in itself a fascinating subject, but where it got really entertaining and thought-provoking was when he turned to the subject of the „segreto di Pulcinella“, or Pulchinella Secrets.

Pulchinella, we all learned, is a bumbling, clownish figure from the Italian “commedia dell’arte”, a traditional folksy form of theatre that began in Italy in the mid-16th century and which is characterized by masked “types” performing often improvised performances based on sketches or scenarios. According to Wikipedia, “arte” does not refer to “art” as we currently consider the word, but rather to that which is made by “artigiani” (artisans).

Read the rest of this entry »

You know you’re at a real nerdfest when the conference catering consists of large pretzels and candybars. This tweet by some unknown delegate just about captures my own impression of TEC 2011. Measured in terms of techies per square feet, this simply has to be the geekiest conference in the galaxy.

For me as an Identity guy, it was also a kind of homecoming, a reassurance that, yes, there are lots and lots of people out there that share our vision of a world where digital identities will better protect and enable us both in our business and our private lives.
Read the rest of this entry »

Sometimes the most interesting conversations are about something you never really expected to discuss, but I digress.

No, seriously: You sometimes get sidetracked on a topic that becomes so fascinating that your meeting is almost over before you get back to what you really wanted to talk about. Take for instance a conversation I had recently with Julian Lovelock of ActivIdentity. There are lots of things I as an analyst wanted to know about their recent acquisition by HID, who are at home in the “old” world of physical access management and who obviously wanted to buy into the “new” world of logical access control. ActivIdentiy makes most of its money selling often highly customized authentication solutions to businesses, but they derive a large chunk of their income (about 20 percent) from what they call “commercial business”, which essentially means online banking.

Now, conventional thinking says that European and especially German banks are light-years ahead of the rather archaic US banking system in terms of offering customers online access to their accounts and portfolios, as well as in many other respects (nobody in Europe has used a check in at least a decade!).

ActivIdentity, Julian says, has customers in the financial industry on both sides of the Atlantic, so they know what the differences are. In a nutshell, he says, European banks are more concerned with security, while American banks worry about the customer experience. Anything that would make it hard for US consumers to understand what to do next is more or less automatically a no-starter, and if that means there is a bigger danger of the customer’s account being hacked, then so be it. If necessary the bank will simple reimburse the customer without too many questions asked and swallow the damage. Better, anyway, than watching him switch to another bank.
Read the rest of this entry »

Where in the Cloud am I? And more importantly: Where are my data? I know that many managers and CIOs are asking themselves similar questions. In fact, as I have posted before, a colleague of mine put that question to Martin Jetter, CEO of IBM Germany, at a briefing about a year ago, namely: “If I give you my data to store in the Cloud, where exactly are they?” Mr. Jetter didn’t quite get the question at first, so he launched into a lengthy technical explanation, but the guy interrupted him and insisted: “I mean, physically, where are they?”

Of course, there was no really good answer, and Jetter sort of danced around the question and then hurried on to something completely different (in the famous words of John Cheese of Monty Python fame). The scene came to my mind recently when I read a Software Advice blog post by Gustav Westerlunds, CEO of CRM-Konsulterna, a Swedish consultancy, entitled “Is Your Cloud Safe From the Law?” in which he discusses the lack of legal precedents concerning transnational laws and trade agreements with respect to cloud computing. He asks two deceptively simple questions, just like my colleague did to Mr. Jetter, namely:

-          Which country’s laws apply to the data stored in the Cloud?

-          Which country’s laws apply to the data being transferred?

I have blogged about this subject myself concerning the ramifications of European data protection laws which have forced Amazon, for instance, to operate a completely self-contained “European Cloud” based in Dublin so that their European customers won’t go to jail (or have pay the maximum fine of 300.000 Euros stipulated by the EU directive) just because somebody’s name and address made it across the Atlantic due to the magic of packet switching. But Westerlund takes the issue a step further.

Read the rest of this entry »

Almost two years ago, I blogged about a conversation I had with Martin (“Tall Martin”) Buhr about Cloud Security. At the time, he was the European head of Amazon’s Web Services, and he has recently moved on to Nimbula (“the Cloud Operating System company”) as head of sales and business development, but his words came back to me during an analyst panel at RSA Conference in SFO, where I shared the rostrum with Eric Maiwald of Gartner and Jonathan Penn of Forrester and during which we touched on regulation issues that could block the development of Cloud Computing.

In Europe, the case is very clear: The European Data Protection Directive only allows personal data to be transferred to so-called “third countries” if that country provides an adequate level of protection. The most prominent third country is, of course, the United States which chooses for reasons we needn’t get into here to refuse individuals the right to control their personal data the way Europeans can.

In the age of packet switching, nobody can be sure some piece of information won’t make a hop over to New York or San Francisco on its way from, say, London  to Frankfurt. That is the charm and the wonder of TCP/IP, that data will always find a workaround if some part of the net is blocked, clogged or restricted. The original scenario, of course, was a Russian attack on the U.S. military’s communications infrastructure, and the thing data packets were supposed to get around were gaping, radioactive holes in the ground where major U.S. cities (and telephone hubs) once stood.

Thankfully, the clear and present danger of such doomsday scenarios has faded somewhat, but the principle behind TCP/IP remains: It is almost impossible to restrict the flow of data anywhere in the world, short of shutting down the entire Internet, as the authorities in Egypt and Iran have done, or erecting gigantic electronic barriers like the Great Firewall of China.

Since in the age of Cloud Computing, nobody really know where on earth their data are at any given moment (that’s the charm of Cloud Computing, after all!), any European CEO who allows personal data about customer or employees to be stored in the Cloud can be seen as having one foot in jail. Let an auditor or a police investigator find that data residing outside the physical boundaries of the EU, then the CEO’s number is up. And he can’t pass the buck on to his CIO, because managerial liability doesn’t work that way.  It’s his call, and if he didn’t keep his CIO on a leash, then tough luck!

Read the rest of this entry »

The problem with Cloud Computing is that no two experts can agree what it really is, right? Wrong! As of Sunday evening, we at least have two major players singing from the same psalm book.

At Oracle Open World in San Francisco, Larry Ellison went public with the announcement that not only does he agree with Amazon on their definition of Cloud Computing; he is actually stealing their thunder, or at least the thunder of the name Amazon invented to describe their cloud services, namely “Elastic Cloud”.

He also gave a firm answer to the age-old question, is Cloud Computing an application or a platform. The latter, the man who feels equally at home at the helm of a racing yacht or an international computer company stated in no uncertain terms, hurling a bolt of devastating lighting an Salesforce.com, which to him is “just a couple of applications on the Internet”.

So here is Larry’s definition of Cloud Computing, just in case you wondered. It is a pool of resources for developing and sharing applications, so it’s a platform, stupid! It involves virtualization, so if it isn’t virtual, it ain’t cloud. It uses “elastic” technology so it can scale quickly and easily (and back, too: users should be able to get rid of resources they no longer need just as simply as they can dial them up). And did I mention pricing? You only pay for what you eat, of course.

Ellison is a man who practices what he preaches. So the riddle of the grey cabinet the size of a large dresser standing next to him on the stage of Moscone Center was soon solved. Nicknamed the “Cloud in a Box”, the new product he announced is officially called the “Exalogic Elastic Cloud” and consists of 30 servers running in parallel with its very own storage array, two separate operating systems (Solaris for the hadware, Linus for the software) VM and middleware (by Oracle, of course), all tightly packed into a single closet-sized unit. It represents nothing less than you very own private cloud that you can install and run behind your corporate firewall thus eliminating all those worrisome questions about security that till now have kept CIOs from jumping on the cloud bandwagon. This, Ellison declared, is the future of Cloud Computing.

Read the rest of this entry »

Who’s pulling the cart on data protection? At least in Germany, that has traditionally been government’s role, and that has made the German regulatory environment one of the fiercest in the world for foreign enterprises and organizations. U.S. companies in particular are often reluctant to engage in the German market for fear of running afoul of the strict laws, but the same actually goes for the EU as a whole. Witness Amazon Web Services decision to build two separate clouds, one (based in Dublin) for Europe and another for the rest of the world.

So it may come as a surprise to hear a voice raised in Germany demanding a whole new deal on data protection. Sven Gábor Jánszky is the founder of 2B Ahead, a think tank based in Halle, a backwoods town in the wilds of former East Germany. Presumably that gives him enough time to think deeply about serious issues such as Digital Identity.

His solution may sound simple – let business take care of it – but it isn’t. And especially coming from someone in the typically paternalistic Old Europe, it’s downright seditious.

And what is even more surprising was that ARD, the largest German TV station, gave Mr. Jánszky a spot on its prime time “Tagesthemen” news show to voice his opinion. “We need to reinvent data protection”, he told an audience of millions of German watchers, “and business, especially the IT business, needs to take the lead.”

How often do identity gurus in the U.S. get to air their views on “60 minutes”?

Anyway, Jánszky thinks that the concept of the state protecting people’s privacy is so 20th century. “They want to share their personal information”, he believes, and it’s the job of business to help them do it in a controlled fashion. He thinks it’s high time the industry takes the lead in creating a system that will allow everyone to distribute personal information freely, but retain a final say in where it goes and how it’s used. For starters, he says, companies should provide users full disclosure on what data about them they have stored. This would be a first step towards establishing a trust relationship, and that is something any company should be interested in. Trust leads to loyalty, and that means return customers and more moola in the till.

The role of government, Jánszky says, is simple: Stop trying to build walls around the consumer and instead focus on passing laws that enable companies to use personal information, provided they do so in a responsible way and with the full content and oversight of the consumer.

This may not sound exactly new to some within the identity community. But then, has anybody been on national TV lately to espouse their views? The Germans may be behind (or ahead, depending on your point of view) in terms of draconian privacy laws, but at least they have a public discussion going. Wonder where it will finally lead…

Somehow the Hofbraeukeller in Munich, one of my favorite city’s nicest beer garden restaurants, seems to lend itself particularly well to long, meandering discussions of identity management. It’s the place the U.S. participants at the European Identity Conference regularly gather for their pre-conference pigs’ feet feast, and since it’s conveniently located around the corner from where I live, I often use it as a meeting place for visitors from all over the world. I mean, if you’re in Bavaria, by all means go to a Bavarian place for lunch instead of one of the ubiquitous sushi stalls.

I thought my latest guest, Tom Stewart, CFO of MultiFactor Authentication out of Irvine, CA, would be thrilled, but it turns out he spent two years working for Intel in Munich, so he’s been there and done that. Which is okay, because it gave us more time to get down to basics about his company’s strategy and products.

Tom is in the business of making security tokens obsolete. I know you’re going to hate this if you just gave a pile to RSA or Verisign, but MultiFactor believes that hardware-based strong authentication is poised to go the way of the dodo.

Of course, software tokens have been around for quite awhile, but they are often considered to be weaker than hardware tokens, or else they require some fancy PKI architecture to make them safe enough for serious corporate use.

Well, think again, Tom says. His “SecureAuth” system sits inside the firewall and handles full bidirectional X.509 authentication for apps and other systems without any tokens or PKI infrastructure and, more importantly, at a fraction of the cost. The system used to connect the client with your company network is proprietary, but it uses SAML or any other system you want to use to connect to outside applications or SaaS providers. Just how they do it and whether it really works the way they say it does is beside the point here, but readers are invited to visit their website at www.multifa.com for a free online demo and as much nerdy prose as you can stomach. (Tom is a marketing guy, but he is apparently surrounded by a team of true, dyed-in-the-wool techies.)

Personally, my attention perked up when Tom began to describe the way SecureAuth acts as a kind of gatekeeper for Active Directory (in 90 percent of cases, he says) or any other directory service you happen to be running.

This seems especially exciting to me when you consider it in terms of Cloud Computing, where we are seeing a rash of new cloud-based identity services. Bob Blakley of Burton described what he calls the “ability to build a virtual identity provider using a multitude of different services”. At the Catalyst Conference in San Diego a few weeks ago, he expressed his surprise that, unlike what everyone was expecting, providing identity services for the Cloud wasn’t turning out to be “this big monolithic thing”. Instead, the market is building a set of small specialty firms that handle identity tasks and offer discrete billable units that companies can put together. Ping, for instance, integrates PingConnect with Google Apps so a user’s Google ID can be used for single sign-on across some 60 online services.

Sourcing your identity management may appear to make good business sense, but does it really? After all, companies are sourcing just about everything else related to their IT. But Tom believes, and I agree, that identity management is the last thing you want to see going out the door. “As long as you control the directory, you control everything”, he maintains. Letting external service providers make changes or allowing them to make copies of your directory, which some do, is simply asking for big trouble.

My feeling, and it’s nothing more than that, is that companies will be very cautious in moving towards the cloud, choosing a step-by-step approach rather than taking the sudden plunge. As much as small and medium-sized enterprises would love to say goodbye to their IT and concentrate on their core business, they should draw the line at their directory, be it active or otherwise.

In fact, you could probably make a case for keeping only your directory and sourcing everything else, but then what is the poor CIO to do? Anyway, directory services might actually prove to be the Last Man Standing as corporate IT gradually disappears into Cloud-cuckoo-land.

Just got back from my favorite neighborhood watering hole in Munich, the Cafe Wienerplatz, where I met with Soeren von Varchmin, who recently moved in next door after spending a few years in Seattle.

Soeren is VP SaaS at Parallels, a company that describes itself as “worldwide leader in virtualization and automation software that optimizes computing for consumers, businesses and providers”. His job is to bring together Internet Providers and Services Providers (ISVs) by providing a common plattform to provision, manage and integrate applications and services over the Internet. His vision is to create a large-scale cloud computing ecosystem where software vendors and cloud operators together deliver a wide variety of services to businesses and consumers.

To achieve this goal, Parallels has written what they call the “Application Packaging Standard” (APS) which they describe as a new application packaging format designed to help implement a Software-as-a-Service (SaaS) business model. I guess you could call is “SaaS 2.0″ (or maybe “ASP x.0″), because it enables almost all industry hosting providers – Parallels’ traditional customer base – to team up with almost any application provider to offer their apps as a rental web service.

Once packaged in the APS format – basically just an XML feed – by a software vendor, an application can be easily “plugged” into an infrastructure of any hosting provider that implemented the standard “socket” for the APS applications.

Soeren thinks this is a real win-win situation, since it gives hosting providers a new, higher-value business model while providing a new distribution channel for ISVs. Parallels is touting their standard as an open plattform, and rumor has it that they will be founding a non-profit organization to push the specification in the public domain., so check out their website at www.apsstandard.org for updates.

Read the rest of this entry »