Who’s pulling the cart on data protection? At least in Germany, that has traditionally been government’s role, and that has made the German regulatory environment one of the fiercest in the world for foreign enterprises and organizations. U.S. companies in particular are often reluctant to engage in the German market for fear of running afoul of the strict laws, but the same actually goes for the EU as a whole. Witness Amazon Web Services decision to build two separate clouds, one (based in Dublin) for Europe and another for the rest of the world.

So it may come as a surprise to hear a voice raised in Germany demanding a whole new deal on data protection. Sven Gábor Jánszky is the founder of 2B Ahead, a think tank based in Halle, a backwoods town in the wilds of former East Germany. Presumably that gives him enough time to think deeply about serious issues such as Digital Identity.

His solution may sound simple – let business take care of it – but it isn’t. And especially coming from someone in the typically paternalistic Old Europe, it’s downright seditious.

And what is even more surprising was that ARD, the largest German TV station, gave Mr. Jánszky a spot on its prime time “Tagesthemen” news show to voice his opinion. “We need to reinvent data protection”, he told an audience of millions of German watchers, “and business, especially the IT business, needs to take the lead.”

How often do identity gurus in the U.S. get to air their views on “60 minutes”?

Anyway, Jánszky thinks that the concept of the state protecting people’s privacy is so 20th century. “They want to share their personal information”, he believes, and it’s the job of business to help them do it in a controlled fashion. He thinks it’s high time the industry takes the lead in creating a system that will allow everyone to distribute personal information freely, but retain a final say in where it goes and how it’s used. For starters, he says, companies should provide users full disclosure on what data about them they have stored. This would be a first step towards establishing a trust relationship, and that is something any company should be interested in. Trust leads to loyalty, and that means return customers and more moola in the till.

The role of government, Jánszky says, is simple: Stop trying to build walls around the consumer and instead focus on passing laws that enable companies to use personal information, provided they do so in a responsible way and with the full content and oversight of the consumer.

This may not sound exactly new to some within the identity community. But then, has anybody been on national TV lately to espouse their views? The Germans may be behind (or ahead, depending on your point of view) in terms of draconian privacy laws, but at least they have a public discussion going. Wonder where it will finally lead…

Somehow the Hofbraeukeller in Munich, one of my favorite city’s nicest beer garden restaurants, seems to lend itself particularly well to long, meandering discussions of identity management. It’s the place the U.S. participants at the European Identity Conference regularly gather for their pre-conference pigs’ feet feast, and since it’s conveniently located around the corner from where I live, I often use it as a meeting place for visitors from all over the world. I mean, if you’re in Bavaria, by all means go to a Bavarian place for lunch instead of one of the ubiquitous sushi stalls.

I thought my latest guest, Tom Stewart, CFO of MultiFactor Authentication out of Irvine, CA, would be thrilled, but it turns out he spent two years working for Intel in Munich, so he’s been there and done that. Which is okay, because it gave us more time to get down to basics about his company’s strategy and products.

Tom is in the business of making security tokens obsolete. I know you’re going to hate this if you just gave a pile to RSA or Verisign, but MultiFactor believes that hardware-based strong authentication is poised to go the way of the dodo.

Of course, software tokens have been around for quite awhile, but they are often considered to be weaker than hardware tokens, or else they require some fancy PKI architecture to make them safe enough for serious corporate use.

Well, think again, Tom says. His “SecureAuth” system sits inside the firewall and handles full bidirectional X.509 authentication for apps and other systems without any tokens or PKI infrastructure and, more importantly, at a fraction of the cost. The system used to connect the client with your company network is proprietary, but it uses SAML or any other system you want to use to connect to outside applications or SaaS providers. Just how they do it and whether it really works the way they say it does is beside the point here, but readers are invited to visit their website at www.multifa.com for a free online demo and as much nerdy prose as you can stomach. (Tom is a marketing guy, but he is apparently surrounded by a team of true, dyed-in-the-wool techies.)

Personally, my attention perked up when Tom began to describe the way SecureAuth acts as a kind of gatekeeper for Active Directory (in 90 percent of cases, he says) or any other directory service you happen to be running.

This seems especially exciting to me when you consider it in terms of Cloud Computing, where we are seeing a rash of new cloud-based identity services. Bob Blakley of Burton described what he calls the “ability to build a virtual identity provider using a multitude of different services”. At the Catalyst Conference in San Diego a few weeks ago, he expressed his surprise that, unlike what everyone was expecting, providing identity services for the Cloud wasn’t turning out to be “this big monolithic thing”. Instead, the market is building a set of small specialty firms that handle identity tasks and offer discrete billable units that companies can put together. Ping, for instance, integrates PingConnect with Google Apps so a user’s Google ID can be used for single sign-on across some 60 online services.

Sourcing your identity management may appear to make good business sense, but does it really? After all, companies are sourcing just about everything else related to their IT. But Tom believes, and I agree, that identity management is the last thing you want to see going out the door. “As long as you control the directory, you control everything”, he maintains. Letting external service providers make changes or allowing them to make copies of your directory, which some do, is simply asking for big trouble.

My feeling, and it’s nothing more than that, is that companies will be very cautious in moving towards the cloud, choosing a step-by-step approach rather than taking the sudden plunge. As much as small and medium-sized enterprises would love to say goodbye to their IT and concentrate on their core business, they should draw the line at their directory, be it active or otherwise.

In fact, you could probably make a case for keeping only your directory and sourcing everything else, but then what is the poor CIO to do? Anyway, directory services might actually prove to be the Last Man Standing as corporate IT gradually disappears into Cloud-cuckoo-land.

Just got back from my favorite neighborhood watering hole in Munich, the Cafe Wienerplatz, where I met with Soeren von Varchmin, who recently moved in next door after spending a few years in Seattle.

Soeren is VP SaaS at Parallels, a company that describes itself as “worldwide leader in virtualization and automation software that optimizes computing for consumers, businesses and providers”. His job is to bring together Internet Providers and Services Providers (ISVs) by providing a common plattform to provision, manage and integrate applications and services over the Internet. His vision is to create a large-scale cloud computing ecosystem where software vendors and cloud operators together deliver a wide variety of services to businesses and consumers.

To achieve this goal, Parallels has written what they call the “Application Packaging Standard” (APS) which they describe as a new application packaging format designed to help implement a Software-as-a-Service (SaaS) business model. I guess you could call is “SaaS 2.0″ (or maybe “ASP x.0″), because it enables almost all industry hosting providers – Parallels’ traditional customer base – to team up with almost any application provider to offer their apps as a rental web service.

Once packaged in the APS format – basically just an XML feed – by a software vendor, an application can be easily “plugged” into an infrastructure of any hosting provider that implemented the standard “socket” for the APS applications.

Soeren thinks this is a real win-win situation, since it gives hosting providers a new, higher-value business model while providing a new distribution channel for ISVs. Parallels is touting their standard as an open plattform, and rumor has it that they will be founding a non-profit organization to push the specification in the public domain., so check out their website at www.apsstandard.org for updates.

Read the rest of this entry »