I still remember the fun that was had when Dick Hardt first made his cool presentations on User Centric Identity Management and regaining control of who would access to what attribute of your multiple personas, be it online, at home or at work. We all know, that his company sxip identity failed because it did not gain enough momentum to monetize on the idea. Still, concepts such as the (also “failed”, much to my demise) Information Cards by Microsoft or the OpenID approach share some aspects of the sxipper product – putting you in control of your data. The current hype around the new EU privacy and data security legislation is putting some more focus to this!
Apparently, only very tech savvy users – geeks like you and me  – seem to widely adopt and use OpenID. I, personally was attracted to Clavid, a Swiss IDP who combines OpenID with the one thing missing everywhere else: Strong Authentication! Most of you know that this is sort of my pet topic here at KCP and so I was really amazed to see them offer Yubikeys, Avionics’ Internet Passport and even SwissID Government issued certificates as a means of strong authentication – making Clavid an early representative of the prospering “Authentication as a Service” market segment. Not prospering enough, I guess, as I did not see the Clavid guys buying fast cars and castles at Lake Geneva’s´ shores…
Anyway, the concept of letting us – the users/consumers/customers – decide on who gets access to which detail of my life and (digital) identity remains an unsolved issue. Be it the tedious task of filling out forms after forms to get your kid into day-care or getting new insurance for your car – you have to share information about yourself and your loved ones and wonder: do they REALLY need that info? And if so: why do they ask me the same questions over and over again?
Wouldn´t it be nice if more of these form-fields could be “auto-filled”, depending on your choice of what to disclose and what not? Wouldn´t it be great to have one common place to securely store all the insurance information, account information and whatnot? Just like putting your valuables in a bank deposit box (or your high-security safe in your secret lair downstairs, depending if you are a super villain or not)? You could even “compartmentalize” your life into stuff belonging to work/career (like digital versions of all your certifications and endorsements), your personal leisure activities (like memberships in sportsclub and your fishing license, Open Water Diver certificate), your kids info (school district, Headmaster contacts, the football team coach) and the list continues.
I recently tried to gather my families´ core identity data, such as passport and ID card numbers, SSN, healthcare ID, tax ID etc. and it took me full Sunday. Last week I did it all over again, as I misplaced the sheet of paper I used – pretty old school, don´t you think?
But all personal stupidity aside: wouldn´t it be great to use that “digital vault” full of your own personal data to actually ERASE all the personal detail that are stored at the gazillion of companies and organizations you interact with day to day? Why must I put my CC info and full address with “your airline of choice”, if I could use their services “pseudonymously” and only allowing access to those details “on demand” while I actually book a flight? Currently, if I lose my CC or it expires the internet economy burdens me with changing my CC info in each of the gazillion pages I do business with. Why?
I am looking forward to a (hopefully very near) future, where I can actually manage my data in one place and have those who need access to it authorized on a configurable basis. Sure, my employer should have continuous access to my bank account information! But if I am leaving – how can I make them erase that info on file today?
Look put for some colnew announcements and blogs on KCP on this – my colleagues will provide more info as it becomes “freely available”

We have been discussing IRM, DRM, DLP and other acronyms back and forth for a quite a while now and I am sure there are a good bunch of solutions out there for those organizations, that have policies and procedures in place to sufficiently plan, build and run thus a tool. Thus, I was pretty much „meh“ about any discussions revolving around the pros and cons of approaches…
Well, our close friends sometimes surprise us with problems, we never seem to have „seen“ before. One of those friends runs a small System Integrator / VAR company and approached me with a problem, that is common among these service providers: handling of RMAs…
Usually, if you have outsourcing agreements and service contracts, you would also have a number of SLAs that cover the use, transport, protection and security of data and mobile data storage devices such as flash-disks, thumb-drives or the very useful external hard drives, which are used to back-up full Virtual Servers if no SAN/NAS is available on-site.
Well, these SLAs cover exactly that: the STANDARD operating procedures and day-to-day handling of those devices. But what happens, if one or more of the external hard-drives becomes defective and is not accessible because the controller is broken? You just had a full back-up pushed onto that drive last Friday and – during your standard tests of back-up media – you find the disk to irresponsive due to controller failure. You KNOW that your client´s full data-center including Domain Controller, Exchange and ERP systems are on that drive. You are unable to read the data, you can also not delete the drive and you cannot “open” the casing because it voids the warranty under which you would like to get the drive replaced by your vendor/distributor.
Actually, you would have to send in the defective drive as-is (with all your client-data on it) and wait to have it replaced or repaired. If replaced – what happens to the “raw disks”? They could easily be put into a computer or hooked up to another controller and data extracted. If repaired, the controller will be exchanged and at least QA tests will reveal the sensitive nature of the data stored…
According to the System Integrator community it is impossible to negotiate a special data-protection agreement with the Distributors, as their margins are already too low to invest in legal advisory regarding a set of 150 € products. Also, the clients are rather unwilling to sign a waiver, which reduces or fully removes liability for any data breach from the SI. I would really LOVE to talk to some lawyers of the HD manufacturers and/or Distributors about this topic, as I fear that a large number of these RMAs happen without any thought about data protection…