Just got back from my favorite neighborhood watering hole in Munich, the Cafe Wienerplatz, where I met with Soeren von Varchmin, who recently moved in next door after spending a few years in Seattle.

Soeren is VP SaaS at Parallels, a company that describes itself as “worldwide leader in virtualization and automation software that optimizes computing for consumers, businesses and providers”. His job is to bring together Internet Providers and Services Providers (ISVs) by providing a common plattform to provision, manage and integrate applications and services over the Internet. His vision is to create a large-scale cloud computing ecosystem where software vendors and cloud operators together deliver a wide variety of services to businesses and consumers.

To achieve this goal, Parallels has written what they call the “Application Packaging Standard” (APS) which they describe as a new application packaging format designed to help implement a Software-as-a-Service (SaaS) business model. I guess you could call is “SaaS 2.0″ (or maybe “ASP x.0″), because it enables almost all industry hosting providers – Parallels’ traditional customer base – to team up with almost any application provider to offer their apps as a rental web service.

Once packaged in the APS format – basically just an XML feed – by a software vendor, an application can be easily “plugged” into an infrastructure of any hosting provider that implemented the standard “socket” for the APS applications.

Soeren thinks this is a real win-win situation, since it gives hosting providers a new, higher-value business model while providing a new distribution channel for ISVs. Parallels is touting their standard as an open plattform, and rumor has it that they will be founding a non-profit organization to push the specification in the public domain., so check out their website at www.apsstandard.org for updates.

Read the rest of this entry »

I know it’s funny, but in fact it’s me, by far the oldest guy at KCP, who is actually the greatest fan of Twitter. Perhaps if you don’t have as much time left to waste as some of my younger colleagues you learn to appreciate abbreviation.

Anyway, the European Identity Conference which ended yesterday here in Munich produced a bumper crop of Tweets which I have been browsing through this morning at my leisure (first time in a week I’v had any), and I thought I would share a few with those of you who do not yet fully appreciate just how powerful this new medium actually is.

Summing up of a large multinational conference like EIC running over many days and featuring some of the finest speakers in the industry, and doing this in a format that restricts the writer to 140 characters max, is a challenge, of course, but many of those present not only rose to it, but proved themselves past masters of terse, to-the-point, no nosense (well actually, sometimes a bit of nonsense) communication.

Read the rest of this entry »

Recently, at a press briefing by German IBM boss Stefan Jetter who waxed enthusiastic about Cloud Computing, an elderly journalist rose and asked him a show-stopper: “Where are my data when they’re out there in the Cloud?” Jetter did a double take, but my colleague pressed on: “I mean, physically, where are they?”

Of course, the answer is: On some nameless server somewhere, anywhere in a grid farm in Ohio or Dublin or… In fact, the usual answer is : Who cares?

Well, for one the German privacy protection agencies. Passing data across national boundaries can be a federal offense not only here. The EU Data Protection Directive (officially Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data) mandates that personal data may only be transferred to third countries if that country provides an adequate level of protection – something the U.S., just to name one, does not, at least not according to European standards, especially since foreigners do not benefit from the US Privacy Act of 1974.

Read the rest of this entry »

Since “Minority Report”, where Tom Cruise toted a squishy bag full of spare eyeballs around to hold up in front of iris scanners, thus fooling the access systems, biometrics has been a buzzword, if only a minor one, but it has failed to catch on in a meaningful way. A few years back I speculated that this is because every existing biometric method has serious drawbacks. Fingerprints fade as you grow older, and some people don’t have any because they are afflicted with a rare disease  called “Naegeli syndrome” or dermatopathia pigmentosa reticularis (DPR) that can cause vexing social problems. Recently, two identical twins were indicted for robbing the department store KdW in Berlin, but had to be released when the authorities found that it was impossible to determine which of them had been actually done the heist since they share the same DNA. And many people instinctively refuse to put their eye to an iris scanner because they worry that they may be blinded by a flash of light from a malfunctioning machine.

Read the rest of this entry »

I recently had a cup of coffee with a couple of interesting youngsters from Hamburg, Christian Evers and Philipp Spethmann, who have set themselves a truly impressive goal. They are out to wrest nothing less than the control of German desktops from giants like iGoogle, T-Online, Yahoo! & Co. And they believe the way to do this is by providing consumers a safe and simple way to log onto their favorite websites.

Their company, founded two years ago with money from Ammer Partners, one of Germany’s big venture funds (yes, there still are functioning venture funds over here; many of them, in fact), is called “allyve” (pronounced “alive”), and they describe their product as “the keyring of the Internet.” What it boils down to is a set of widgets that provide single sign-on – they prefer the term “open authentication” – to a pre-defined list of favorite online sites. This in not the kind of OA that the OATH initiative is propounding; in fact allyve seems to be intent on doing things their own way instead of following the standards path (open or not). Good luck, I say.

Read the rest of this entry »

In early 2008, I asked my colleagues at Kuppinger Cole + Partner for leave of absence in order to take a “Sabbatical”, a kind of timeout. No, not because of burnout or anything dramatic like that, but rather because distance tends to sharpen your perspective, and I was worried that I was getting too wound up in the nitty-gritty of Identity Management as a specialized field.

As a more or less non-technical person, I had begun to believe that the issues addressed by this industry are much wider than many of us seem to realize. And in order to truly appreciate what is going on I felt I needed to take a step back.

In “Through the Looking-Glass”, Lewis Caroll describes a world on the other side of the mirror which closely resembles our own, but is subtly different.”How would you like to live in Looking-glass House?”, little Alice asks her kitten. While it appears to look just like the world on this side, “it may be quite different on beyond”, she speculates.

Read the rest of this entry »

Germans became the best-protected users of computers and the Internet today when the Federal Constitutional Court set out strict rules for government agencies anxious to spy on their hard disks. The decision was widely viewed as a slap in the face for Wolfgang Schaeuble, the hard-liner Interior Minster who has been proposing that law enforcement agencies be given broad powers to monitor the computers and e-mails of suspects on their own authority. No, the court said, you have to ask a judge first. And if during the course of an authorized surveillance the police also happen to stumble across highly personal data, then it is their obligation to erase it “immediately”.

Surprisingly, German turns out to be a rather imprecise language. Forget their perfectionist image: “unverzueglich”, the word used in the court decision, can also mean “promptly”, “unhesitatingly” or even “instantaneously”, depending on context. So that leaves the cops quite a bit of leeway and doesn’t exactly please the digital rights crowd, either. Still, better than nothing, supporters say. Especially since the court also severely limited the use of one of Schaeuble’s favourite high-tech toys, the so-called “Bundes-Trojaner”, or “federal Trojan”; a piece of software allegedly under development at the BND, the German equivalent of the FBI, and designed to sniff out suspicious correspondence between terrorists. Never mind that nobody seems to have figured out how to sneak the state-sponsored malware past a simple virus detector, much less how to get the bad guys to click on the self-extracting application. And never mind that nobody in the Berlin government seems to have heard of PGP or other easily available encryption tools.

The historical dimension, if there is one, lies in the high court’s recognition of the individual’s basic right to being able to use a computer without fear of being observed. Collecting data stored or exchanged on a personal computer “directly encroaches on a citizen’s rights”, the judges decreed, given that fear of state-sponsored snooping could prevent “unselfconscious personal communication” which they deem a human right.

While lawmakers will be able to pass legislation on computer spying as planned, the court has laid down strict ground rules that are intended to limit the number of cases in which it will in fact happen. The greatest hurdle is the requirement of judicial approval in each and every case, with the burden of proof of “clear evidence of a concrete threat to a prominent object of legal protection” (e.g. life, liberty, or property) clearly lying with the authorities.

Unfortunately, the federal judges did not answer a number of basic questions, such as whether hacking personal data stored on another computer is to be considered a crime. This is especially interesting in view of recent German legislation that compels Internet Service Providers to keep records of all e-mail transactions for at least six months in case the police decide they want to see what a delinquent was doing. And while the judges do recognize the danger stemming from cache storage by programs like web browsers on an individual’s machine, it does not discuss caching by providers or search engine operators. Neither is their any mention of personalized portable devices like PDAs or Smartphones, leaving some confusion as to whether these are also covered by the definition “personal computer”. In fact, the brief specifically singles out PCs “such as those in many homes”, so conceivably it’s okay for the bulls to spy on your Blackberry once you leave the house.

Foreigners have long struggled with the concepts behind German privacy law which many, especially Americans, find exaggerated and contra productive. If so, they will have to make an extra effort to get their head around the idea that hard disks, like homes, can be castles. But of course, anyone who has ever taken a boat ride down the Rhine is familiar with the German penchant for castle-building, so maybe it shouldn’t really come as a surprise.

Tom Noonan of IBM ISS talks a mean speech. Yet somehow I came away slightly unconvinced from a press and analyst briefing he gave on Monday at ISS headquarters in Atlanta.

Maybe one reason was that he hardly used the term “identity” as he described in some detail how he perceives the world of IT security and threat management. Instead he has a lot to say about security becoming a utility, about disconnected parts and the need for a “security ecosystem” where the products of each and every vendor can work together to provide seamless and coherent protection of both data (the “new currency”, he call it) and applications.

I was very excited about this vision of a kind of “security open platform” which would bring together the currently deeply fractured worlds of logical IT security and Identity Management (along with physical security, just to round things off; after all, the surveillance cameras all speak IP nowadays, so why not integrate them as well?)

A sentence like “Security will be the control system that creates policies across all applications” sounds great, but where’s the beef, Tom?

In fact, as his VP Tim McCormick later explained to me during an interview I did with him (see “In Our Ecosystem, Anyone Can Play”), the only one’s who will really be able to participate are those that IBM and ISS (still two very different animals, even after a full year of integration) already have existing relationships. Okay, that’s a lot of partners, over 200 at last count. But it is a far step from an industry standard, which is what Tom obviously believes is necessary.

I do too, by the way, so I’m rather concerned that Tom and Tim are not taking the ball as far as they could. Why not assemble an industry-wide gathering of competitors from both IT Sec and IAM, maybe under the auspices of Oasis or some other stands body, and put your chips on the table. Everybody stands to profit from cooperation – because customers will not stand much longer for being forced to deal with a whole host of vendors, each offering some important part of the puzzle, but not the whole picture.

On paper, IBM looks like a pretty likely candidate to lead the way. After all, with the ISS acquisition they are now the market leader in managed security, which is the way to go. And with Tivoli busily buying up companies like Console, Watchfire and the likes, they can play a pretty mean game of business process protection as well as becoming a force to reckon with in the identity & access management space.

Just bringing all that together within the folds of IBM remains a daunting challenge. Taking the concept to its logical end, a security and identity ecosystem that will revolve around the customer and his needs – something where this industry, as Tom Noonan freely admits, has hitherto not really done a very good job – is a different kettle of fish.

Let’s see if, in the end, Tom can do more than just talk the talk.

Anyone know where the biggest identity project in the world is going on today? Would you believe Germany?

It’s true, though. The “Electronic Healthcard” or “elektronische Gesundheitskarte” (known as the “eGK”) will soon be issued to some 80 million citizens, providing them for the first time with a digital identity aimed at reducing healthcare costs and improving the quality of service for patients. It may actually save some lives, too, by giving doctors a way to track patient histories and avoid possible side effects or drug allergies.

Of course, simply handing out 80 million chip cards isn’t going to transform the German healthcare system. First, some 120,000 family physicians and specialists, 65,000 dentists, 21,000 apothecaries, 2,200 clinics and 260 health insurance providers need to be hooked up, too. And this is turning out to be an identity management nightmare of truly historic dimensions.

Scheduled to go online in 2006, the project has been held up by bureaucratic hassles and technical glitches. The next round of tests are now set to begin sometime in 2008, roughly two years behind schedule. And it’s anybody’s guess when the system will really be up and running.

Even then, hopes are low that the initial goal of lowering the costs for Germany’s compulsive healthcare program will materialize. Experts agree that things like digital patient records and telemedicine can streamline the clunky system now in place. Unfortunately, that isn’t going to happen anytime soon.

Instead, government has chosen prescribe only the first step of the project which will focus only on the administrative side and designed to reduce paperwork. Okay, better than nothing, proponents say. But this could have been achieved by pimping the current system of insurance cards (“Versichertenkarte”) which already have chips baked into them but lack a photo of the patient. This, along with the fact that there is no way to quickly crosscheck to see if the patient is already being treated somewhere else, is an invitation to insurance fraud. “We get whole families of Turkish guest workers coming in and using mommy’s card to get free treatment”, a doctor recently told me.

All the goodies that might really make a difference in healthcare costs have been classified as “voluntary”. In the case of Germany’s cash-strapped clinics, many of which are tottering on the brink of bankruptcy, this probably means never. So much for telemedicine and the future hospital.

Identity management vendors face an uphill fight in pursuading German healtcare officials and clinic IT admins to invest in hot new technology. Especially so since in typical German fashion the so-called “service providers” (read: insurance companies) and the German government have formed a bureaucratic monster called “Gematik”, a joint venture charged with developing the infrastructure framework and setting the standards for things like card readers and network interfaces.

Since most IdM vendors are from the U.S., they of course don’t have a say in the internal deliberations of Gematik and the German government. Instead, they are currently attempting to pursuade individual public and university hosptials and private clincs to buy their products. Good luck, I say! Since Gematik takes it’s cues from the Delphic oracle, no purchaser or decision maker in his or her right mind will go out on a limb today and sign a check, since they may have to mothball the system in a year or two when Gematik finally draws back the curtain and reveal – surprise, surprise! – something completely different than expected.

Safe to say, therefore, that Germany’s eGK is not only the biggest identity project in the world, but one of the most enigmatic, too. Many clinic operators will use this as an excuse to keep their heads down and wait for Gematik to get its act together. Smart operators should focus on things like standardizing their systems, beefing up their infrastructure and doing identity data housecleaning, all of which will pay off some day no matter what technical framework Gematik finally comes up with.

IdM Vendors should up the pressure on Gematik to force them to provide a better glimpse of the direction they are thinking in, while touting schemes like identity federation based on open international standards as an alternative to a national German solo effort. They might also casually suggest that the German penchant for cramming everything they can possibly dream of into a single bloated solution may not be the best way to solve the cost crisis in healthcare. They might want to use a quaint German expression to describe the worst-case end result: It’s called “eierlegende Wollmilchsau” – an egg-laying, wool-growing, milk-giving pig.