It’s been almost 15 years since Business Layers and Oblix ushered in the new age of Identity and Access Management Systems (IAM systems) with what I called at the time the “killer app” for Directory Services – electronic provisioning. Even more incredible is that it’s almost 20 years since I wrote a workflow-based provisioning application (I even called it “employee provisioning”) based on Microsoft’s messaging application programming interface (MAPI). It actually was quite primitive in terms of 21^st century provisioning tools in that it relied on automated email messages to inform people of things that needed to be done (grant access, deliver hardware, etc.) with an automated “nag” system if the task wasn’t marked as completed.

I know that my system is no longer used and I really doubt that the Business Layers’ and Oblix provisioning systems are still in use. But lots of people are still using lots of systems that no longer are offered. In the provisioning area alone I’ll wager that there are still installations from Thor, Waveset, M-Tech, Sun and more none of which are still being offered – at least not under that brand name.

And it’s not only provisioning systems that have gotten “long in the tooth” in your datacenter. Every aspect of IAM has probably moved forward at least one generation since you installed it, and many have moved quite a bit forward. Let me hasten to add that it probably isn’t your fault that this has happened, especially if you’ve followed the advice we’ve been handing out over those fifteen years since electronic provisioning first became a real possibility and the IAM revolution was launched.

Back then, and for some time after, no one vendor could supply all of your IAM needs. It’s possible to argue that that is still true, but – if it is – it’s less true today than it was, say 10 years ago. So what we, the IAM gurus, suggested was that you choose “Best of Breed” solutions and hammer them together. “Best of Breed” was an amorphous term, though, covering a great many things. In reality we meant “best for you” depending on your circumstances.

Getting all of those apps from all of those vendors to work together was a real chore – one that kept IAM consultants rolling in dough as they cobbled together scripts, apps, services and more so that you had a semblance of an IAM infrastructure.

Anyone who had gone through the experience of surveying the market, demo’ing software or trying out a “proof of concept” from multiple vendors for each area (Provisioning, SSO, Access Control, Governance, etc.) of the IAM continuum came through the exercise very tired, very bruised and very wary of starting again.

Over the years, the apps that were chosen were sometimes updated (by the customer – they were frequently updated by the vendor) whenever doing so wouldn’t break the intricate relationship with the rest of your IAM services. Sometimes – when a vendor was acquired – the app you were using would simply disappear from the market to be, perhaps, replaced by something similar (or not) depending on the whims of the new vendor.

What it all means is that those of you who should be commended for being the early adopters in the IAM space are, essentially, stuck with a cobbled together system which in many of its facets is no longer supported by its vendor, or may not even have a vendor to support it any longer.

Others of you, of course, would have spent an inordinate amount of time replacing parts of the system as mergers and acquisitions occurred. So you may have started out with Business Layers’ eProvisionware as a provisioning app. When that company was acquired by Netegrity, you might have switched your provisioning services to the leader at that time, Waveset. Waveset which, less than a year later, was acquired by Sun Microsystems. Still, you might have stayed with the people you know and, gradually, installed Sun Identity Manager. Which has now been acquired by Oracle.

Another possibility is that you, early on, went with Oblix for provisioning. Until they were acquired by Oracle early in 2005. Well, you quickly switched to the then highly recommended independent provisioning vendor – Thor Technologies. Which was acquired by Oracle!

Where does it all end? Will Larry Ellison eventually acquire everyone in the IdM space? Probably not, at least not as long as there are other major players. But what does it mean for you?

Two points I want to make up front:

• What was “Best of Breed” a few years ago may no longer be;
• Choosing “Best of Breed” today may be a security nightmare.

Yesterday’s “Best of Breed” was probably a stand-alone application from a vendor who was committed to a particular IAM niche. For example, PassLogix was long thought the Best of Breed Enterprise Simplified Signon (ESSO) solution. When that company was acquired 18 months ago, though (by, you might have guessed, Oracle) others who were using the product began to scramble to find a replacement – it was no longer feasible to add Passlogix’ V-Go ESSO to the other multi-vendor IAM apps you were using.

But the whole idea of a Best of Breed IAM stack from multiple vendors needs to be re-thought. The Best of Breed IAM stack was never seamlessly integrated. Scripts, publicly available protocols, data conversion hubs and some manual tweaking always seemed to be needed to insure that everything worked together. And it almost did work together. At the best of times it was probably 95% successful. But that 5% was the camel’s nose in the IAM tent.

That 5% “seam” – which for most installations was closer to 10% or 15% – is the area that hackers, crackers and other malcontents can exploit for their nefarious purposes. That’s where the security loopholes appear,Which can sometimes end up being close to 80% of your project cost, not the 5, 10 or 15% it should be.

So if your current Best of Breed solution is insecure and too complex, and if there’s really no way to improve its security by adding updates, upgrades or other potential Best of Breed applications, what should you do?

It’s time to move up a level. Rather than “Best of Breed” applications, it’s time to look at “Best Fit” suites.

You might think that with all the mergers and acquisitions of the past ten years that provisioning applications, in particular, would be offered by only a handful of vendors, but you would be wrong. Here’s a list of almost two dozen vendors offering provisioning solutions from very basic to extremely complex.

Well that didn’t take long.

Less than a week after I predicted that “2012 could be a very good year for privacy,” Google announced a new privacy policy, one which would apply across almost all of its services. Far from being seen as a good thing, though, the initial reaction was a large outpouring of grief by the privacy community. Even the general media portrayed the move in a dark light.

The Washington Post, for example, was quick to point out that “A user signing up for Gmail, for instance, might never have imagined that the content of his or her messages could affect the experience on seemingly unrelated Web sites such as YouTube.”

Some of the headlines for the stories about the change:

• Google Privacy Change Provokes Outrage (Information Week)
• Use Google? Time to Get Real About Protecting Your Digital Self (The Atlantic)
• How to close your Google Account (The Washington Post)
• Google’s New Privacy Policy Raising Questions in Washington (AdWeek)
• Google changes privacy policy to make the company one big product (VentureBeat)
• Google Changes Again, Launches One Privacy Policy to Rule Them All (Mashable)
• Google’s new privacy policy: Is this war? (KPCC radio)
• Big Brother? Google’s new privacy policy creates one massive database (Tecca)

And there’s many more just like them.

Common Sense Media claims to be “…dedicated to improving the lives of kids and families by providing the trustworthy information, education, and independent voice they need to thrive in a world of media and technology.” Their chief executive, James Steyer, was quoted in the Washington Post article as saying: “Google’s new privacy announcement is frustrating and a little frightening. Even if the company believes that tracking users across all platforms improves their services, consumers should still have the option to opt out — especially the kids and teens who are avid users of YouTube, Gmail and Google Search.”

Of course, everyone does have the option to “opt out,” by not using the service. Well, there is another way, which I’ll tell you about later.

Not all of the media was negative, though. Forbes magazine noted in its headline: “Internet Freak-out Over Google’s New Privacy Policy Proves Again That No One Actually Reads Privacy Policies”.

Google isn’t going to be collecting any more, or any different, information with this policy change. As explained in a Google blog entry (by Alma Whitten, Google’s Director of Privacy, Product and Engineering): “…we still have more than 70 (yes, you read right … 70) privacy documents covering all of our different products. This approach is somewhat complicated.” So the company is taking 60 or so of them (the others have legal reasons to be kept separate) and rolling them into one which “…covers the majority of our products and explains what information we collect, and how we use it, in a much more readable way.”

As a consequence of this, the new policy “…makes clear that, if you’re signed in, we [i.e., Google] may combine information you’ve provided from one service with information from other services. In short, we’ll treat you as a single user across all our products.”

Again, nothing new will be collected; it will simply be amalgamated into one record rather than 2, 5, 15 or more under the current policy. Will this help users, or hurt them?

The jury is still out on that, of course, but I personally believe it will help many more people than it might possibly hurt. The telling point is who gets to see that accumulated data.

As the above cited blog post notes, “We remain committed to data liberation, so if you want to take your information elsewhere you can. We don’t sell your personal information, nor do we share it externally without your permission except in very limited circumstances like a valid court order. We try hard to be transparent about the information we collect, and to give you meaningful choices about how it is used.”

Ah, so how will it be used?

Generally, Google’s critics and the company itself agree that the data will be used to personalize your experience across the multiple Google platforms (search, Gmail, Google+, YouTube, Android, etc. – each of those “70 plus” privacy policies referenced earlier refers to a different service/platform). Some see that as, well, in Gizmodo’s words: “The End of ‘Don’t Be Evil’.”

Google, though, thinks this will – for the great majority of its users – improve their on-line experience and improve it dramatically.

Not only will the search engine know more about what you’re searching for (if you enter “Jaguar” as a search term, do you mean automobiles or wild animals?), but it can tailor the advertising you see (and you will see advertising) to your tastes and desires. So if I enter “Mannequin Pis” as a search term (or to find pictures) I might see that priority is given to the famous Brussels statue or it might be to the restaurant in Olney, Maryland (about 10 miles from my office). The deciding point might be where my Android phone indicates I’m located at the time I search.

Some people find that “creepy.” I’m not one of them.

For twenty years I’ve been waiting for a personalization service like this. It was one of the reasons I became so interested in directory services and, later, identity services. It’s the promise of being my personal assistant, in theory, that’s finally being delivered.

One example that Google’s Whitten points out: “We can provide reminders that you’re going to be late for a meeting based on your location, your calendar and an understanding of what the traffic is like that day.” She could have added that emails could be automatically sent to other others scheduled for that meeting letting them know you would be late – and actually reschedule the meeting knowing what their calendars look like and approximately how long it will take you to get to the office. I find that to be an excellent use of technology. If it also means I’ll see more ads for cruises, antiques and restaurants (things I’m interested in) and fewer for shoes, fast food and skiing (which I’m not interested in) then I consider that a plus.

Now, if Google was going to package this information and distribute it to its advertisers or sell it to other third parties to do so, then I’d be in the forefront of those protesting – and I’d quite possibly be looking to replace those Google services I do use. But they aren’t. Google’s policy regarding this data stays the same, “We don’t sell your personal information, nor do we share it externally without your permission. [emphasis added]” No one has ever shown that Google violates this pledge.

Forbes’ Kashmir Hill sums it up best, I think: “When Google starts bundling everything it knows about its users and selling that to insurance companies, background check companies, and the Department of Homeland Security, that’s when I’ll trot out the ‘evil label.’ But using information from Gmail to suggest more appropriate YouTube videos or reminding an Android smartphone user that they have a Google calendar appointment in a half hour on the other side of town doesn’t strike me as the work of Lucifer.”

I did promise you a way to stop Google from amalgamating all of your data, didn’t I? It’s quite simple, just create separate accounts for the services you want to keep separate – Gmail, YouTube, Picassa, what have you. Google can’t force you to put every service under one account, so you can do this to maintain relative privacy – just remember which accounts cover which services!

In other privacy news, the EU has proposed updated regulations covering data breaches and the mis-handling of personal information. Companies could face penalties as high as 2% of their yearly global sales (not just EU sales) but, on the plus side, companies would now only have to deal with the privacy agency of the country they’re headquartered in rather than face all 27 EU data-protection agencies. So, stricter rules, bigger “teeth” in the law but easier compliance – it’s too soon to tell if this is a plus or a minus – and for whom.

Finally, a new debate is starting in the US about privacy and healthcare. Some have proposed what’s called a universal patient identifier, or UPI – a single unique health-care identification number for every inhabitant. This would be very useful for doctors, emergency workers, hospitals, pharmacists – and patients. Proponents say UPIs not only facilitate information sharing among doctors and guard against needless medical errors, but may also offer a safety advantage in that health records would never again need to be stored alongside financial data like Social Security numbers. Privacy activists say the data would be collected and sold to third parties causing a rise in distrust of the medical profession and a deterioration in care. Expect this debate to go one for quite some time.

Here at KuppingerCole we’ll be following these issues – as well as all identity privacy issues – as they play out round the world.

Happy New Year! At least, I sincerely hope the new year will be a happy one. But – at least in the Identity and Access marketplace – I fear it will be more of the same with banner headlines touting security breaches, insider scams and worse. Without further ado, here’s what my crystal ball sees coming down the pike in 2012.

Phishing ramps up, especially spear-phishing
Phishing is the hacker’s “art” of getting authentication and/or identity information through social engineering methods. Typically this is done via email (for example, telling you to click a link to keep your bank account credentials updated) but can also be done by means of social networking sites (such as Facebook or Twitter). Spear-phishing is typically a combination of the two, when company information is harvested from, say, Facebook or LinkedIn then people in that organization are targeted via email. This was the method used for the RSA breach which has now been attributed to persons acting on behalf of a nation-state (rumored to be China, but no “smoking gun” has been revealed).

Standard old-fashioned phishing, due to its “scatter-shot” nature, is fairly easy to combat with email security apps. Bayesian filters, originally developed to keep spam out of your inbox, can be equally effective with the phishing emails which are usually about bank accounts, on-line retail accounts or other sites where credentials and/or credit card numbers can be expected to be found. Typically, the email recipient is re-directed to a fraudulent web site made to look like the legitimate one, or given an attachment with the email described as a form to fill out (with loads of identity information requested) which must be submitted in order to “regain access” to the site in question.

More recently, the attachments have included a Trojan-like payload which is insinuated onto the recipient’s computer when the attachment is opened and this is the preferred method for spear-phishing attacks. For example, the RSA attack was an email with the subject “2011 Recruitment Plan.” Attached was a spreadsheet titled “2011 Recruitment plan.xls.” The spreadsheet contained a zero-day exploit that installs a backdoor through an Adobe Flash vulnerability (since corrected by Adobe).

It’s extremely difficult, if not impossible, to automate a defense against spear-phishing. Draconian measures would be needed such as forbidding employees to put company information on social networking sites or quarantining all email with attachments. The only effective measure in combating these types of attacks is user education. It’s expensive, it’s time-consuming and it’s less than 100% effective. In the RSA case, the infected employee retrieved the spear-phishing email from their trash folder!

Your money is better spent in strengthening protection on your valuable assets. Data encryption, for example, could have saved quite a few companies embarrassment in 2011, such as security consultant STRATFOR. Vow right now to encrypt all valuable data and all identity data for your organization.

New buzz words and phrases
A buzzword you may or may not hear, but that you will surely be a target of is “cloudwashing.” By this is meant the effort by vendors to associate all of their products with “the cloud” as in cloud-based computing. Whether or not the product has anything to do with cloud-based computing it will, nevertheless, be touted as somehow enabling or protecting cloud data, access, configuration, or what have you. Don’t take their word for it, ask them to demonstrate these cloud properties before you buy. While the cloud is evolutionary, not revolutionary, it still has some unique requirements in the areas of identity and security that need to be properly addressed by apps and services designed specifically for that use – not one’s which only had their marketing brochures reprinted.

We first heard about BYOD (Bring Your Own Device) in 2011 in regard to employees wishing to add connectivity to the corporate network for their iPhones and iPads. 2012 will also see them wanting to connect their Android devices (phones and tablets) so that they can do the organization’s business “their way.” While your first thought might be to resist this effort at all costs, that “cost” could be your job. Your boss, and his boss all the way up will want to use their own devices (which are probably more powerful than the company issued ones). Instead, start working now on how to safely allow them to attach to the network. Make it part of your provisioning process, so that you can quickly and easily de-provision them when the need arises – which it will, as devices become lost or stolen and employees come and go. The concept of BYOD isn’t new (I was first approached by a marketing VP with such a request back in 1987), but the emphasis is about to become dominant.

All new attack vectors, now with bright, shiny things
Malware, and malware purveyors, continually evolve. 2012 won’t halt that trend. I mentioned above the spear-phishing attacks, such as the one against RSA, which delivered a malware payload as an attachment to email. That’s a trick used in more generalized phishing, also, but the more used method is to phish someone to click on a link to a website (which might be disguised as one trusted by the target user) where a payload is surreptitiously attached to the target’s computer. But these attacks require the target to either open an attachment or click on a link that, hopefully, an educated user would recognize as a phishing attempt. So the hackers and crackers are developing new attack vectors.

One of the more insidious is to attack advertisement servers (such as Google’s DoubleClick service), either through “traditional” hacking into the server or by spear-phishing people with access to the server. These sophisticated attacks (see one description here) are hard to track down because they can be delivered from any site which uses ads from that server while the malware isn’t delivered with every ad request. You might think you got infected at funnykatz.com, but if you go back there you’ll find no evidence of something bad downloading to your machine.

Good, up-to-date anti-malware services should be installed for all users, but better education of those who have access to the powerful machines in your domain is also required. It’s really best to lock the door before the horse has a chance to wander outside!

Finally, the good news
It isn’t all gloom and doom for 2012, I feel. There will be decided improvements on the privacy front. Not a complete victory, by any means, but an improvement.

The concept of Privacy Enhancing Technology (PET) isn’t new. It was defined almost 10 years ago in “Handbook of Privacy and Privacy-Enhancing Technologies” as “…a system of ICT measures protecting informational privacy by eliminating or minimising personal data thereby preventing unnecessary or unwanted processing of personal data, without the loss of the functionality of the information system.” Microsoft’s recently acquired uProve technology is a current example. I think we’ll see more of technologies like this in coming software offerings because of another “overnight sensation” that was many years in the making.

Way back in the last century, Dr. Ann Cavoukian came up with the concept of “Privacy by Design.” Here’s how she described it:

“Back in the ’90s, it was clear to me that the time was upon us when legislation and regulation would no longer be sufficient to safeguard privacy. In my view, with the increasing complexity and interconnectedness of information technologies, nothing short of building privacy right into system design could suffice. So I developed the concept of Privacy by Design (PbD), to describe the philosophy of embedding privacy proactively into technology itself – making it the default.”

In other words, privacy shouldn’t be the icing on the cake, put on after the cake cools. It should be a major ingredient baked right in from the start.

Consider Facebook. A typical week or month at the social networking site goes like this:

1. Facebook rolls out a re-design or a new feature to “enhance the user experience” (in reality, to enhance the advertiser’s experience);
2. Privacy advocates discover all sorts of hidden flaws;
3. Facebook scrambles to make corrections;
4. Repeat.

Now that Dr. Cavoukian is the Privacy Commissioner for Ontario province in Canada a lot more people are paying attention to Privacy by Design and encouraging software vendors and service providers to incorporate the philosophy into their work by building in privacy from the start. Pressure from the growing privacy community will force the vendors to comply. 2012 could be a very good year for privacy.

In order to “accentuate the positive,” I’ll be hosting a webinar on January 26 on the subject of Privacy by Design. Joining me will be Dr. Cavoukian to explain the concept, Michelle Dennedy (Chief Privacy Officer at McAfee) creator of the iDennedy Project and author of the “Privacy Matters” blog as well as a surprise guest from the vendor community. Please join us for this fascinating topic.

Passwords have been the security standard for thousands of years, ever since they replaced biometrics as the preferred method of authentication.

Biometrics? That’s right. From pre-historic times access to secure sites (food/money storage, military camps, etc.) was biometrically controlled – the guard either recognized you or didn’t. If he recognized you and was aware that you had clearance then you’d be allowed access. Otherwise, you might get run-thru with a sword.

But as the population needing access to secure sites increased, it was no longer possible for every guard to know every authorized person. So the password was invented, and – try as we might – it’s still the most popular way to gain access to secure sites.

I’ve been writing about – and railing against – passwords for far too long now. Back in 2006 I ranted at the University of Pennsylvania for their then new policy of forcing users to change passwords annually! Then in 2009, I castigated the US National Institute for Standards and Technology for publishing “Guide to enterprise password management.”

Every identity and security guru worth his salt has at one time or another (and often more frequently) said that: 1) you should stop using username/password as an authentication method; and 2) if you must use passwords, make sure they are “strong” passwords.

There are two components to strengthening passwords:

• Length – make your passwords long with eight or more characters.
• Complexity – include letters, punctuation, symbols, and numbers. Use the entire keyboard, not just the letters and characters you use or see most often. The greater the variety of characters in your password, the better. However, password hacking software automatically checks for common letter-to-symbol conversions, such as changing “and” to “&” or “to” to “2.”

Therefore it was with a feeling of deep chagrin that I recently read a report from mobile application vendor SplashData that compiled a list of 25 most common passwords used on the Internet this year. They did this by scouring files containing millions of stolen passwords posted online by hackers. The top 10 most frequently used were:

1. password
2. 123456
3. 12345678
4. qwerty
5. abc123
6. monkey
7. 1234567
8. letmein
9. trustno1
10. dragon

Some would be quick to point the finger at the iPhone generation for these easily guessed passwords, but as my former colleague, Ping Identity’s John Fontana, pointed out: “A 1990 study of Unix password security showed a user preference for weak passwords, such as ‘password’ and ‘12345’. By the mid-90s, ‘abc123’ joined those two padlocks of password security.” So, really, we’re all to blame.

AS a side note, security expert Bruce Schneier reported in 2006 that among the 20 most popular passwords on MySpace.com were “monkey” and “monkey1”. I’ve only checked English language passwords, but I do wonder if among the top 20 German passwords we  can find “affe” and “affe1”.

It is evident that users do not want to give up using passwords. Nor, for that matter, do most application and service programmers. It’s also evident that users avoid strong passwords. And when they are forced to use strong passwords (or have them automatically generated), anecdotal evidence shows that the users will write them down and keep them close by their keyboard (or other input devices).

So what can we do?

For years I used a browser add-in called “Sxipper,” developed by Dick Hardt who was a co-founder of OpenID. Sxipper was not only a tool to remember usernames and passwords (as well as all the details needed to fill out forms) but was also a password generator, creating randomized groupings of letters, numerals and other characters that were well past the ability of most users to remember. But, of course, they didn’t need to remember them – Sxipper did it for them. Sxipper could save a file containing all of your data to local storage (in case there was ever a problem) but, sadly, this wasn’t encrypted, nor was authentication required to access Sxipper once your computer was up and running (i.e., authenticate to the OS and you could run Sxipper). Sxipper was officially killed early this year.

Even before that, though, I’d switched to using Chipdrive MyKey from SCM (now Identiv). Besides encrypting the archive file, it uses a USB stick which makes the service portable among all of your USB-enabled devices. It doesn’t, unfortunately, create passwords so I do need to be disciplined about that.

But Sxipper and MyKey are, essentially, single user solutions. What is the enterprise to do?

Some would suggest enterprise simplified signon (ESSO) is the answer, but most of those allow the user to choose their own passwords and simply, passively, deliver them up as needed. That doesn’t allow for enforcing of a strong, non-reusable, frequently changed password policy.

Instead, my suggestion is to adapt one of the Privileged Account Management (PAM) tools to the entire enterprise. There are plenty to choose from, offered by vendors such as: BeyondTrust, Cyber-Ark, Quest Software, Thycotic Software, Apere, Avecto, Xceedium, Fox Technologies, i-Sprint Innovations, Lieberman Software and Siber Systems. Some of these are stronger than others, and prices vary accordingly.  None is right for everybody, so investigate to discover which is right for you.

To take one example, though, let’s look at Cyber-Ark’s Enterprise Password Vault (EPV). Not only will EPV securely store passwords, but it will also generate strong passwords and change them regularly – up to doing so after every use! It will, of course, also audit and report on the use of those passwords. The icing on the cake is that you can by-pass username/password for accessing EVP – RSA SecurID, Web SSO, RADIUS, PKI and smartcards are all configurable methods for connecting to the vault.

Sad to say, passwords are not going to go away anytime soon. Users, and developers, won’t let them. But at least we can insure that the strongest passwords are used, without the chance for compromise by the very users they’re meant to protect.

That’s my Christmas present to you, insure a prosperous New Year by creating (or modifying) your password policy and finding the best way to enforce it. Happy Holidays!

It was just over 10 years ago, at the annual Catalyst conference, that provisioning rivals Business Layers and Access360 sat on different sides of the conference meeting room (the ballroom of the Mariott hotel in San Diego) and hurled catcalls and invective at each other. A year later, they’d matured (as had the technology) and – under the auspices of the Organization for the Advancement of Structured Information Standards (OASIS) joined to help form the Provisioning Services Technical Committee. A year after that, in 2003, the committee demonstrated the first release of the Provisioning Services Markup Language, soon changed to the Service Provisioning Markup Language (SPML), in action. We saw that XML messages containing provisioning data could be exchanged between and among different provisioning engines. Joy ensued.

Followed by ennui. Nobody did very much with SPML, but it was, after all, just a 1.0 release – and no one can do much with a 1.0 release.

Just as I was beginning to think that SPML might be merely an asterisk in the history of Identity Management, the wonderful folk at OASIS, on behalf of the Provisioning Services Technical Committee (they never did change THEIR name!) released version 2 of SPML into the wild in 2006.

Followed by even greater ennui.

The thought began to emerge that the provisioning vendors, not wishing to give their competitors any advantage, were deliberately dragging their feet on implementing provisioning standards.

Fast-forward five years to the spring of 2011.

A mixed group of cloud service providers (Google, Salesforce.com et al), identity product vendors (Ping Identity, UnboundID, Okta and others) and other interested parties (VMware and Alcatel/Lucent) met and decided: 1)that there was a need for electronic provisioning of cloud services; and 2) that SPML wasn’t the answer.

Provisioning vendors did pay lip service to SPML in their products, and “best practice” lists for customers encouraged them to include SPML capability as a checkbox on their RFPs, but few, if any, application vendors had implemented SPML in their production services. It was also thought to be slow and ponderous in practice. Ping’s CTO, Patrick Harding, said about SPML: “My quick analysis would be to say that SPML looks, feels and acts like a boat anchor.” Harding also noted that customers simply want something that works and that the adoption of REST (Representational state transfer) and JSON (JavaScript Object Notation) in the Cloud is exploding (as opposed to SPML’s XML-basis).

What this group has created is SCIM (Simple Cloud Identity Management).

Initially, I was opposed to SCIM – I thought that SPML could be moved forward to encompass cloud-based services relatively easily. The folks at Oracle evidently thought so too, as they introduced a new draft to the Provisioning Services Technical Committee (the SPML folks) at OASIS touting what they called RESTpml. The response to the call for a RESTful binding of SPML was pretty much what it was for the original SPML – none.

My colleague, Martin Kuppinger, also voiced some skepticism about SCIM (“SCIM – will SPML shortcomings be reinvented?”) last spring when he said “There might be a good reason for an effort like SCIM. But just being a REST-based standard but not really thinking beyond what SPML supported won’t solve the real world problems. Thus I strongly recommend to rethink SCIM and to look at significantly extended use cases.”

I also had noted that no provisioning vendor had stepped forward to embrace SCIM. That’s now changed, as Courion announced their support earlier this month.

So it’s time I ate my words and changed my opinion. I’ll leave Martin to decide if recent events have been enough for him to change his.

SCIM is getting support from vendors. it’s also recently adapted to include schema extensions deemed necessary for it to be used for provisioning within the datacenter. It appears to be a standard whose time has come.

So what is SCIM? Here’s what the group creating the specification say:

“The Simple Cloud Identity Management (SCIM) specification is designed to make managing user identity in cloud based applications and services easier. The specification suite seeks to build upon experience with existing schemas and deployments, placing specific emphasis on simplicity of development and integration, while applying existing authentication, authorization, and privacy models. It’s intent is to reduce the cost and complexity of user management operations by providing a common user schema and extension model, as well as binding documents to provide patterns for exchanging this schema using standard protocols. In essence, make it fast, cheap, and easy to move users in to, out of, and around the cloud.”

For those of you interested in how it might work, there’s a very good use case detailed here.

SCIM now appears to be our best chance for any sort of public provisioning standard, something we desperately need (and have needed for years). It may be time to overlook its shortcomings, plan for the second version and put it into practice both for the cloud and for the datacenter.

Last spring, the world was up in arms over alleged tracking of users’ locations by iPads,  iPhones and Smartphones powered by Google’s Android operating system. According to a story from ABC News, “…Just days after researchers demonstrated that some Apple iPhone and iPad owners have had their locations tracked by their devices, another security researcher revealed that Android phones, which use Google’s mobile operating system, store users’ geographic information in a very similar manner.”

Interestingly, though, Apple had revealed that information a year earlier in a letter drafted in response to a US congressional inquiry (from Congressmen Edward J. Markey, D-Mass., and Joe Barton, R-Texas). In the letter, dated July 2010, Apple’s general counsel Bruce Sewall said that to provide location-based services, Apple, its partners and licensees, may collect, use and share customers’ precise location data, including GPS information, nearby cell towers and neighboring Wi-Fi networks. But he added that the information is collected anonymously and the devices give users controls for disabling the location features. In addition to giving Apple customers the ability to turn off all location features with one “on/off” toggle switch, Apple requires applications to get explicit customer when it asks for location information for the first time.

Not so with Facebook.

The new Facebook Timeline will also track things you’re doing. But there are two major differences between Timeline and the Apple & Google tracing:

1. Facebook will publish all of your activities to your “friends”;
2. Facebook will track you even when you’re logged out!

As John D. Sutter wrote for CNN:

“I’m listening to the band LCD Soundsystem on an Internet music service called Spotify. Because I’ve updated my Facebook page and because I’ve logged in to Spotify with my Facebook identity, every song I listen to is automatically shared to Facebook. Suddenly, my listening experience isn’t private. It’s public. All my Facebook friends are watching. And judging. Chances are this will affect people’s behavior online. If you’re a closet fan of Lady Gaga or Bjork or Enya (I’m all three), then you’ll just have to stop listening to those potentially mockable artists — either that, or all your Facebook friends will be chiming in with comments…”

Sutter continues:

“And so it goes with all kinds of the new ‘real-time’ apps.
Since I’ve logged in to Yahoo! News with Facebook, every time I read an article on that site, it goes to my Timeline.
The same is true for Hulu and TV shows.
And for the Internet game “Words with Friends.” When I play a Scrabble-style word in that game, it will show up on Facebook, along with an image of the current playing board.”

This is scary. This is, really, akin to stalking. But wait – Facebook executives, at the recent F8 conference introducing Timelines, also made it clear that users will be able to maintain granular privacy settings for each piece of content, essentially showing different Timelines to different groups of users. Well, yeah, and we know how religiously Facebook’s users mark each bit of data so that only their intended audience can see it! (That’s sarcasm, in case you missed it).

Once again, Facebook shows a decided lack of understanding of both its users and privacy in general. Unfortunately, most users will simply shrug and say “what’s the alternative?” (hint: It isn’t Google+).

Privacy and anonymity have been associated with the internet at least since Peter Steiner’s famous cartoon on page 61 of the July 5, 1993, issue of The New Yorker  which originated the meme “On the internet, nobody knows you’re a dog.” Yet today most people are no clearer about the difference between the two (or among those and their cousin, pseudonymity) than they were twenty years ago.

I bring this up because the general press and the blogosphere have once again been lit up in a discussion of identity, anonymity and privacy. “A Gay Girl in Damascus” was a much talked about blog. As described by Judith Timson, in Canada’s Globe and Mail, it was: “…the riveting blog of ‘Amina Arraf,’ a young and bravely out Syrian-American lesbian in Damascus who attracted international media attention by chronicling both the revolution there and her own personal life in such posts as: ‘Why I am doing this. I live in Damascus, Syria. It’s a repressive police state. Most LGBT people are still deep in the closet or staying as invisible as possible. But I have set up a blog announcing my sexuality, with my name and my photo. Am I crazy? Maybe.’ ”

Timson, though, thinks that Tom MacMaster, a 40-year-old American graduate student at the University of Edinburgh who wrote the blog (as a way to improve his writing skills) “…is but a laughable subset in an increasingly creepy world of online poseurs, a confusing community full of avatars, alts (alternative identities) and something called ‘sockpuppets,’ which, as far as I can make out (with a little help from Wiki), are online identities ‘used for purposes of deception within an online community’.”

And what was MacMaster’s crime? According to Timson: “Tom MacMaster was chastised for diverting attention from authentic human-interest stories in the tumult of Syria, not to mention appropriating ‘the lesbian voice’.”

One wonders if Ms Timson would say something similar about Mary Ann Evans (A.K.A. George Elliott).

Mr. MacMaster used what we call a persona, Ms Timson might call it a “fake” persona – a term New York Times reporter  Sarah Perez used in the article “The End of Online Anonymity,” a few years ago in reference to a court ruling in Missouri which she claimed would criminalize the use of fabricated personas. Ms Timson (and many of her readers) might applaud that ruling.

However, so-called “fake” personas have been a staple of writers and storytellers from at least the days of Homer. Any novel with at least one character has “fake” personas. But, you may say, the author isn’t pretending to be that character, are they? Well, consider the “autobiography” of Howard Hughes. This was called a hoax, it’s true, because Howard Hughes could be proven to really exist. But what about the autobiography of a fictional character – such as David Copperfield (the Dickens character, not the illusionist)? There’s certainly no ‘crime’ there (unless you’re a high school sophomore forced to read it!).

People create many personas for themselves, especially on-line, for many different reasons. Mr. MacMaster created a persona, a pseudonymous identity for the purpose of creating a riveting documentary-style fiction. That act harmed no one. But when The Guardian newspaper tied him to the “A Gay Girl in Damascus” blog they certainly did violate his privacy – they revealed information about him which he (presumably) didn’t want revealed. That’s the “crime” we should be talking about.